Flexible Authentication Model in ESM
This chapter provides information about Flexible Authentication Models in ESM.
Topics in this chapter include:
Applicability
This chapter is applicable to SR OS routers in the Routed Central Office (RCO) model and was initially written for SR OS Release 11.0.R2, but the CLI in the current edition is based on SR OSRelease 15.0.R2.
Overview
The flexible authentication model for IPoE and PPPoE subscribers allows for mixing of configuration parameters obtained during the authentication phase from different sources: Local User Database (LUDB), RADIUS, or DHCP options that can be populated via a custom Python script. In case the same parameter is available from multiple sources, a priority mechanism is enforced whereby the parameter received from a higher priority source overrides the parameters received from the lower priority source in the following priority: LUDB to RADIUS to Python.
In this chapter we will configure a dual-stack IPoE and a dual stack PPPoE host using four different methods to obtain their configuration parameters. The setup will utilize a single BNG node with a locally configured DHCP server and LUDB as well as an external RADIUS server. Subscriber hosts are instantiated on managed (dynamic) SAPs.
The subscriber configuration parameters are in general divided into two categories:
IP addressing parameters of the host — IPv4/v6 address/prefix, DNS servers, IPv4 default-gateway, IPv4 subnet-mask, IPv4/v6 address pool name, DHCPv4/v6 lease times, etc.
Non IP addressing parameters of the host — Subscriber hosts strings are used to associate the subscriber-host with the desired level of service (sub/sla-profiles, inter-dest-id string, etc); managed routes are used for routing purposes to/from the host; etc.
The following four scenarios will be examined:
DHCP relay case (IP address is assigned via local DHCP server) with NO authentication. See DHCP Relay Case with No Authentication.
DHCP relay case (IP address is assigned via local DHCP server) with LUDB + RADIUS authentication. See DHCP Relay Case with LUDB + RADIUS Authentication.
RADIUS provides: sub/sla-profile strings and a framed IPv4 route.
LUDB provides: IP address pool, inter-dest-id string for Vport assignment, msap-defaults (routing context parameters and msap-policy).
IP proxy case (IP address is assigned via RADIUS) with LUDB + RADIUS authentication. IP Proxy Case with LUDB + RADIUS Authentication
RADIUS provides: IP addresses and related parameters (DNS server, IPv4 default-gateway, etc), inter-dest-id string for Vport assignment and a framed route.
IPv6 lease-times are provided under the group-interface.
LUDB provides: sub/sla-profile strings and msap-defaults (routing context parameters and msap-policy).
IP proxy case (IP address is assigned via LUDB) with LUDB + RADIUS authentication. IP Proxy Case with LUDB + RADIUS Authentication
RADIUS provides: sub/sla-profile strings and a framed IPv4 route.
LUDB provides IP addresses and related parameters (DNS server, IPv4 default-gateway, etc), inter-dest-id string for Vport assignment and msap-defaults (routing context parameters and msap-policy).
In cases 2-4, the domain-name domain1 is appended to the IPoE and PPPoE username in LUDB, before RADIUS authentication takes place.
Configuration
The topology is shown in Topology.
There is a common part of the configuration that applies uniformly across all four examined scenarios. This common part is outlined below and will not be repeated again when we describe more specific cases. It is assumed that the more specific cases also contain this common part of the configuration.
Common Configuration Part
Access Ethernet Port with QinQ Encapsulation
The following output displays a configuration example.
configure
port 1/1/1
ethernet
mode access
encap-type dot1q
exit
exit
exit
Capture SAP
A capture SAP is used to dynamically detect the VLAN id(s) in incoming DHCP/PPPoE packets (triggering packets) and conditionally instantiate the managed (dynamic) SAP. LUDB must be configured under the capture SAP to authorize the user accessing the capture SAP. The LUDB may contain additional parameters needed to set up the subscriber, it can point the subscriber to the RADIUS server for additional parameters or it may contain a default subscriber-host entry without any configuration parameters.
In this case, the msap-defaults under the capture SAP is used to select the routing context where the msap is created. msap-defaults can be also configured in the LUDB or be supplied via RADIUS.
PPPoE policy and msap policy are used to define PPPoE and SAP level parameters. Because the (dynamic) SAP does not exist at the time when the initial DHCP/PPPoE packets are received, the PPPoE/SAP level parameters are taken from the PPPoE/msap policy under the capture SAP. For example, those parameters are used in the PPP PADx/LCP/Authentication setup phase, they define default subscriber host strings, maximum number of subscriber hosts per SAP, the anti-spoofing mode, etc.
The X in the LUDB name (ludb-X) has to be replaced by a number depending on the scenario.
configure
service
vpls 2 customer 1 create
stp
shutdown
exit
sap 1/1/1:* capture-sap create
description "open DHCP model testing"
trigger-packet dhcp dhcp6 pppoe
dhcp-user-db "ludb-X"
dhcp6-user-db "ludb-X"
pppoe-policy "pppoe-pol-1"
pppoe-user-db "ludb-X"
msap-defaults
group-interface "grp-int-1"
policy "msap-pol-1"
service 1
exit
exit
no shutdown
exit
exit
exit
auto-sub-id
The auto-sub-id-key command can be used in situations where the more specific subscriber-id string is not returned from LUDB or RADIUS. In this case, the auto subscriber-id for IPoE hosts is set to the circuit-id while for PPPoE hosts the auto subscriber-id is set to the circuit-id plus session-id separated by the ‟|” delimiter which is inserted by default.
configure
subscriber-mgmt
auto-sub-id-key
ipoe-sub-id-key circuit-id
ppp-sub-id-key circuit-id session-id
exit
exit
exit
PPPoE Policy
There is a maximum of PPPoE sessions per MAC on a managed SAP. The default is 1 but is increased here to 10.
configure
subscriber-mgmt
ppp-policy "pppoe-pol-1" create
ppp-mtu 1400
max-sessions-per-mac 10
exit
exit
exit
MSAP Policy
The MSAP policy defines the anti-spoofing mode which is in this particular example set to next-hop MAC (nh-mac). It also defines the default subscriber management parameters in case they are not supplied via LUDB or RADIUS.
configure
subscriber-mgmt
msap-policy "msap-pol-1" create
sub-sla-mgmt
def-sub-id use-auto-id
def-sub-profile "sub-profile-1"
def-sla-profile "sla-profile-1"
sub-ident-policy "sub-ident-1"
multi-sub-sap limit 500
exit
ies-vprn-only-sap-parameters
anti-spoof nh-mac
exit
exit
exit
exit
subscriber-interface Configuration
The following output displays a subscriber interface configuration.
configure
service
vprn 1 customer 1 create
subscriber-interface "sub-int-1" create
# support for un-numbered IPv4 clients
allow-unmatching-subnets
# default gateway for IPv4 numbered clients
address 10.12.0.1/24
ipv6
# fixed delegated prefix length for IA-PD
delegated-prefix-len 56
# support for un-numbered IPv6 clients
allow-unmatching-prefixes
exit
group-interface "grp-int-1" create
ipv6
router-advertisements
# hint to the client to use DHCPv6
managed-configuration
# enabling router-advertisements
no shutdown
exit
dhcp6
# must be the same as under the capture-SAP
user-db "ludb-1"
exit
exit
# ARP table is populated based on the lease state table
arp-populate
dhcp
server 10.10.1.1
# accept DHCP packets on this group interface
trusted
# max number of DHCPv4 clients on each
# SAP of this group-interface
lease-populate 100
# must be the same as under the capture-SAP
user-db "ludb-1"
no shutdown
exit
pppoe
policy "pppoe-pol-1"
session-limit 1000
sap-session-limit 1000
# must be the same as under the capture-SAP
user-db "ludb-1"
no shutdown
exit
exit
exit
no shutdown
exit
exit
exit
For numbered/unnumbered subscriber-hosts also take a look at the DHCP/PPPoE clients whose assigned IP address is outside of any IP subnet/prefix configured under the subscriber-interface.
Specific Configuration Parts
DHCP Relay Case with No Authentication
The IP address is assigned via local DHCP server. The LUDB is accessed even in the scenario without authentication. There must be a default host LUDB entry present that will match on any value specified in the match-list criteria. The LUDB is accessed from the capture SAP (part of the common configuration).
configure
subscriber-mgmt
local-user-db "ludb-1" create
description "for CASE-1"
ipoe
# host matching is based on circuit-ID in DHCP packets
match-list circuit-id
host "default" create
no shutdown
exit
exit
ppp
# host matching is base on PPPoE username
match-list username
host "default" create
# explicitly enable IPCPv6
force-ipv6cp
no shutdown
exit
exit
no shutdown
exit
exit
exit
Once the routing context (service id and group-interface) is determined as defined under the capture SAP defaults (part of the common configuration), the DHCP/PPPoE requests are served according to the group-interface configuration. The IP address request is relayed to the DHCPv4/v6 server. Since the LUDB does not provide a pool name, the gi-address and the link-address is used by the DHCP relay/server to select the pool from which the IP address will be assigned.
configure
service
vprn 1 customer 1 create
subscriber-interface "sub-int-1" create
group-interface "grp-int-1" create
ipv6
dhcp6
# DHCPv6 relay configuration
relay
link-address 2001:DB8:30::
# DHCPv6 server IPv6 address
server 2001:DB8::1
client-applications dhcp ppp
no shutdown
exit
exit
exit
arp-populate
dhcp
# DHCPv4 server IP address
server 10.10.1.1
client-applications dhcp ppp
gi-address 10.12.0.1
no shutdown
exit
exit
exit
no shutdown
exit
exit
exit
DHCPv4/v6 servers are locally configured in the node and attached to a loopback interface.
configure
service
vprn 1 customer 1 create
interface "int-DHCP" create
# IPv4 address which the DHCPv4 is listening on
address 10.10.1.1/24
ipv6
# IPv6 address which the DHCPv6 server is listening on
address 2001:DB8::1/128
local-dhcp-server "svc-1-dhcp6"
exit
# attaching the DHCPv4 server to the loopback interface
local-dhcp-server "svc-1-dhcp4"
loopback
exit
exit
exit
exit
In the local DHCP servers two pools are defined:
LUDB — To be used for IP address assignment when LUDB returns the pool name.
Gi-addr — To be used when gi-address/link-address are used to select the pool for IP address assignment.
Lease times for IPv4 and IPv6 are configured in the local DHCP server which is used only in the relay case (when the IP address is supplied via DHCP server and not through RADIUS or the LUDB).
configure
service
vprn 1 customer 1 create
dhcp
local-dhcp-server "svc-1-dhcp4" create
# the gi-address can be used to select the pool
use-gi-address
# the pool name can be explicitly provided
use-pool-from-client
# the pool used when the LUDB provides the pool name
pool "ludb" create
options
dns-server 172.16.16.16 172.16.16.17
# DHCPv4 lease time
lease-time hrs 1
exit
subnet 10.10.0.0/24 create
options
subnet-mask 255.255.255.0
default-router 10.10.0.1
exit
address-range 10.10.0.100 10.10.0.200
exit
exit
# pool selected based on the gi-address
pool "gi-addr" create
options
dns-server 172.16.16.16 172.16.16.17
# DHCPv4 lease time
lease-time hrs 1
exit
subnet 10.12.0.0/24 create
options
subnet-mask 255.255.255.0
default-router 10.12.0.1
exit
address-range 10.12.0.100 10.12.0.200
exit
exit
no shutdown
exit
exit
dhcp6
local-dhcp-server "svc-1-dhcp6" create
use-link-address
use-pool-from-client
pool "ludb" create
prefix 2001:DB8:10::/48 pd wan-host create
preferred-lifetime min 30
rebind-timer min 20
renew-timer min 15
# DHCPv6 lease time
valid-lifetime hrs 1
options
dns-server 2001:DB8::1000 2001:DB8::1001
exit
exit
exit
pool "gi-addr" create
prefix 2001:DB8:30::/48 pd wan-host create
preferred-lifetime min 30
rebind-timer min 20
renew-timer min 15
# DHCPv6 lease time
valid-lifetime hrs 1
options
dns-server 2001:DB8::1000 2001:DB8::1001
exit
exit
exit
no shutdown
exit
exit
exit
exit
exit
Default sub/sla-profiles, from the msap-policy, are used (part of the common configuration).
configure
subscriber-mgmt
sla-profile "sla-profile-1" create
description "default SLA profile"
host-limits
overall 3
exit
exit
sub-profile "sub-profile-1" create
description "default SUB profile"
egress
agg-rate-limit 1000
exit
exit
exit
exit
Show Commands
The following command shows that the default sub/sla-profiles are in use, that the IP addresses are selected from the gi-addr pool in local DHCP server and that the subscriber-id is set to circuit-id for the IPoE subscriber-host and to username|session-id combination for the PPPoE subscriber-host.
*A:BNG-1# show service active-subscribers
===============================================================================
Active Subscribers
===============================================================================
-------------------------------------------------------------------------------
Subscriber open-dhcp-1 (sub-profile-1)
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
(1) SLA Profile Instance sap:[1/1/1:11] - sla:sla-profile-1
-------------------------------------------------------------------------------
IP Address
MAC Address Session Origin Svc Fwd
-------------------------------------------------------------------------------
10.12.0.107
00:0c:29:00:00:11 N/A DHCP 1 Y
2001:db8:30:103::1/128
00:0c:29:00:00:11 N/A DHCP6 1 Y
2001:db8:30:400::/56
00:0c:29:00:00:11 N/A DHCP6 1 Y
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Subscriber open-pppoe-1|1 (sub-profile-1)
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
(1) SLA Profile Instance sap:[1/1/1:21] - sla:sla-profile-1
-------------------------------------------------------------------------------
IP Address
MAC Address Session Origin Svc Fwd
-------------------------------------------------------------------------------
10.12.0.108
00:0c:29:00:00:21 PPP 1 IPCP 1 Y
2001:db8:30:104::1/128
00:0c:29:00:00:21 PPP 1 DHCP6 1 Y
2001:db8:30:500::/56
00:0c:29:00:00:21 PPP 1 DHCP6-PD 1 Y
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Number of active subscribers : 2
===============================================================================
*A:BNG-1#
The following command shows more details about the subscriber-host, such as the group-interface, address origin, acct-session-id, etc. Even though there are only two dual-stack hosts (one IPoE and one PPPoE), each of them has three IP addresses that show up as different hosts.
For the purpose of brevity, the output for only two IP hosts are shown, one with an IPv4 address and one with an IPv6 address. The remaining IP addresses/prefixes are not shown because the output follows the same logic.
*A:BNG-1# show service id 1 subscriber-hosts detail
=============================================================
Subscriber Host table
=============================================================
Sap Subscriber
IP Address
MAC Address PPPoE-SID Origin Fwding State
-------------------------------------------------------------
[1/1/1:11] open-dhcp-1
10.12.0.107
00:0c:29:00:00:11 N/A DHCP Fwding
-------------------------------------------------------------
Subscriber-interface : sub-int-1
Group-interface : grp-int-1
Sub Profile : sub-profile-1
SLA Profile : sla-profile-1
App Profile : N/A
Egress Q-Group : N/A
Egress Vport : N/A
Acct-Session-Id : 14F2FF00000026591168E2
Acct-Q-Inst-Session-Id: 14F2FF00000027591168E2
Address Origin : Dynamic
OT HTTP Rdr IP-FltrId : N/A
OT HTTP Rdr Status : N/A
OT HTTP Rdr Fltr Src : N/A
HTTP Rdr URL Override : N/A
GTP local break-out : No
DIAMETER session ID Gx: N/A
-------------------------------------------------------------
[1/1/1:11] open-dhcp-1
2001:db8:30:103::1/128
00:0c:29:00:00:11 N/A IPoE-DHCP6 Fwding
-------------------------------------------------------------
---snip---
-------------------------------------------------------------
[1/1/1:11] open-dhcp-1
2001:db8:30:400::/56
00:0c:29:00:00:11 N/A IPoE-DHCP6 Fwding
-------------------------------------------------------------
---snip---
-------------------------------------------------------------
[1/1/1:21] open-pppoe-1|1
10.12.0.108
00:0c:29:00:00:21 1 IPCP Fwding
-------------------------------------------------------------
---snip---
-------------------------------------------------------------
[1/1/1:21] open-pppoe-1|1
2001:db8:30:104::1/128
00:0c:29:00:00:21 1 PPP-DHCP6 Fwding
-------------------------------------------------------------
---snip---
-------------------------------------------------------------
[1/1/1:21] open-pppoe-1|1
2001:db8:30:500::/56
00:0c:29:00:00:21 1 PPP-DHCP6 Fwding
-------------------------------------------------------------
Subscriber-interface : sub-int-1
Group-interface : grp-int-1
Sub Profile : sub-profile-1
SLA Profile : sla-profile-1
App Profile : N/A
Egress Q-Group : N/A
Egress Vport : N/A
Acct-Session-Id : 14F2FF0000002E5911690E
Acct-Q-Inst-Session-Id: 14F2FF0000002C5911690E
Address Origin : Dynamic
OT HTTP Rdr IP-FltrId : N/A
OT HTTP Rdr Status : N/A
OT HTTP Rdr Fltr Src : N/A
HTTP Rdr URL Override : N/A
GTP local break-out : No
DIAMETER session ID Gx: N/A
-------------------------------------------------------------
Number of subscriber hosts : 6
=============================================================
*A:BNG-1#
The following command shows that there are no sub/sla-profile strings assigned to the subscriber. Instead the default sub/sla-profiles from the msap-policy are used.
The IP address is assigned by the DHCP server which also supplied the def-gw information, DNS servers, the net-mask and the lease time.
The circuit-id and the subscriber-id are set to the same value.
*A:BNG-1# show service id 1 dhcp lease-state detail
===============================================================================
DHCP lease states for service 1
===============================================================================
Service ID : 1
IP Address : 10.12.0.107
Client HW Address : 00:0c:29:00:00:11
Subscriber-interface : sub-int-1
Group-interface : grp-int-1
SAP : [1/1/1:11]
Termination Type : local
Up Time : 0d 00:02:11
Remaining Lease Time : 0d 00:57:49
Remaining SessionTime: N/A
Persistence Key : N/A
Sub-Ident : "open-dhcp-1"
Sub-Profile-String : ""
SLA-Profile-String : ""
App-Profile-String : ""
Lease ANCP-String : ""
Lease Int Dest Id : ""
Category-Map-Name : ""
Lease Info origin : DHCP
Ip-Netmask : 255.255.255.0
Broadcast-Ip-Addr : N/A
Default-Router : 10.12.0.1
Primary-Dns : 172.16.16.16
Secondary-Dns : 172.16.16.17
Primary-Nbns : N/A
Secondary-Nbns : N/A
ServerLeaseStart : 05/09/2017 08:59:46
ServerLastRenew : 05/09/2017 08:59:46
ServerLeaseEnd : 05/09/2017 09:59:46
Session-Timeout : N/A
IPoE|PPP session : No
Lease-Time : 0d 01:00:00
DHCP Server Addr : 10.10.1.1
Relay Agent Information
Circuit Id : open-dhcp-1
Radius User-Name : ""
-------------------------------------------------------------------------------
Number of lease states : 1
===============================================================================
*A:BNG-1#
Then there is a similar command used for DHCPv6 lease-state details.
For the purpose of brevity, the output for only two IPv6 leases is shown. The remaining two IPv6 leases are not shown because the output follows the same logic.
*A:BNG-1# show service id 1 dhcp6 lease-state detail
===============================================================================
DHCP lease states for service 1
===============================================================================
Service ID : 1
IP Address : 2001:db8:30:103::1/128
Client HW Address : 00:0c:29:00:00:11
Subscriber-interface : sub-int-1
Group-interface : grp-int-1
SAP : [1/1/1:11]
Termination Type : local
Up Time : 0d 00:02:34
Remaining Lease Time : 0d 00:57:26
Remaining SessionTime: N/A
Persistence Key : N/A
Sub-Ident : "open-dhcp-1"
Sub-Profile-String : ""
SLA-Profile-String : ""
App-Profile-String : ""
Lease ANCP-String : ""
Lease Int Dest Id : ""
Category-Map-Name : ""
Dhcp6 ClientId (DUID): 0001000120a31b12000c29000011
Dhcp6 IAID : 2
Dhcp6 IAID Type : non-temporary
Dhcp6 Client Ip : fe80::20c:29ff:fe00:11
Primary-Dns : N/A
Secondary-Dns : N/A
Pool Name : ""
Dhcp6 Server Addr : 2001:db8::1
Dhcp6 ServerId (DUID): 0003000114f2ff000000
Dhcp6 InterfaceId : open-dhcp-1
Dhcp6 RemoteId : N/A
Radius sub-if prefix : N/A
Router adv. policy : N/A
Lease Info origin : DHCP
ServerLeaseStart : 05/09/2017 09:00:00
ServerLastRenew : 05/09/2017 09:00:00
ServerLeaseEnd : 05/09/2017 10:00:00
Session-Timeout : N/A
IPoE|PPP session : No
Radius User-Name : ""
-------------------------------------------------------------------------------
Service ID : 1
IP Address : 2001:db8:30:104::1/128
Client HW Address : 00:0c:29:00:00:21
---snip---
-------------------------------------------------------------------------------
Service ID : 1
IP Address : 2001:db8:30:400::/56
Client HW Address : 00:0c:29:00:00:11
---snip---
-------------------------------------------------------------------------------
Service ID : 1
IP Address : 2001:db8:30:500::/56
Client HW Address : 00:0c:29:00:00:21
Subscriber-interface : sub-int-1
Group-interface : grp-int-1
SAP : [1/1/1:21]
Termination Type : local
Up Time : 0d 00:02:06
Remaining Lease Time : 0d 00:57:54
Remaining SessionTime: N/A
Persistence Key : N/A
Sub-Ident : "open-pppoe-1|1"
Sub-Profile-String : ""
SLA-Profile-String : ""
App-Profile-String : ""
Lease ANCP-String : ""
Lease Int Dest Id : ""
Category-Map-Name : ""
Dhcp6 ClientId (DUID): 0001000120a33d28000c29000021
Dhcp6 IAID : 1
Dhcp6 IAID Type : prefix
Dhcp6 Client Ip : fe80::20c:29ff:fe00:21
Primary-Dns : N/A
Secondary-Dns : N/A
Pool Name : ""
Dhcp6 Server Addr : 2001:db8::1
Dhcp6 ServerId (DUID): 0003000114f2ff000000
Dhcp6 InterfaceId : open-pppoe-1
Dhcp6 RemoteId : N/A
Radius sub-if prefix : N/A
Router adv. policy : N/A
Lease Info origin : DHCP
ServerLeaseStart : 05/09/2017 09:00:30
ServerLastRenew : 05/09/2017 09:00:30
ServerLeaseEnd : 05/09/2017 10:00:30
Session-Timeout : N/A
IPoE|PPP session : PPP
Radius User-Name : "open-pppoe-1"
-------------------------------------------------------------------------------
Number of lease states : 4
===============================================================================
*A:BNG-1#
DHCP Relay Case with LUDB + RADIUS Authentication
IP address is assigned via local DHCP server.
RADIUS provides sub/sla-profile strings and a framed IPv4 route.
LUDB provides IP address pool, inter-dest-id string for Vport assignment, msap-defaults (routing context parameters and msap-policy).
Vport aggregate rate limit and the port scheduler are now added to the physical port. The Vport is associated with the subscriber through the inter-dest-id string obtained via LUDB.
configure
port 1/1/1
ethernet
mode access
encap-type dot1q
egress-scheduler-policy "port"
access
egress
vport "open-dhcp" create
agg-rate
rate 500
exit
host-match dest "open-auth-vport" create
exit
exit
exit
exit
no shutdown
exit
exit
The LUDB is used to assign the IP pool name (pool-name = ludb) and the inter-dest-id string (inter-dest-id = open-auth-vport) to the subscriber. The pool name is carried to the DHCP server via custom DHCP options [(82,9,13) in DHCPv4 and (17,1->wan_pool and 2->pfx_pool) in DHCPv6].
The domain name domain1 is appended to the username (circuit-id = open-dhcp-2 or username = open-pppoe-2) before an Access-Request message is sent to the RADIUS server which is configured in the authentication policy auth-pol-1.
The inter-dest-id string taken from the LUDB is passed to the subscriber management module in the node via DHCP option 254 in DHCP ACK/Reply.
configure
subscriber-mgmt
local-user-db "ludb-2" create
description "for CASE-2"
ipoe
match-list circuit-id
host "open-dhcp-2" create
host-identification
circuit-id string "open-dhcp-2"
exit
address pool "ludb"
auth-policy "auth-pol-1"
auth-domain-name "domain1"
identification-strings 254 create
inter-dest-id "open-auth-vport"
exit
msap-defaults
group-interface "grp-int-1"
policy "msap-pol-1"
service 1
exit
ipv6-wan-address-pool "ludb"
ipv6-delegated-prefix-pool "ludb"
no shutdown
exit
exit
ppp
match-list circuit-id mac username
host "open-ppp-2" create
host-identification
username "open-pppoe-2"
exit
auth-policy "auth-pol-1"
address pool "ludb"
password chap "letmein"
identification-strings 254 create
inter-dest-id "open-auth-vport"
exit
msap-defaults
group-interface "grp-int-1"
policy "msap-pol-1"
service 1
exit
ipv6-delegated-prefix-pool "ludb"
ipv6-wan-address-pool "ludb"
no shutdown
exit
exit
no shutdown
exit
exit
exit
The inter-dest-id string taken from the LUDB is passed to the subscriber management module in the node via DHCPv4/v6 option 254 that is specified in the subscriber identification policy.
configure
subscriber-mgmt
sub-ident-policy "sub-ident-1" create
strings-from-option 254
exit
exit
exit
The RADIUS server is defined via the authentication policy. The domain name can be appended to the PPPoE subscriber host directly via the authentication-policy while for IPoE subscribers, the domain name is appended via the authentication-policy in conjunction with the LUDB. This can be verified in the output (shown later) of the show service id 1 dhcp lease-state detail and show service id 1 dhcp6 lease-state detail commands (on the ‟radius user-name” line).
configure
subscriber-mgmt
authentication-policy "auth-pol-1" create
description "RADIUS authentication policy"
password "letmein"
ppp-user-name append "domain1"
user-name-format circuit-id append
accept-authorization-change
pppoe-access-method pap-chap
radius-server-policy "rad-serv-pol-1"
exit
exit
exit
The RADIUS user configuration file uses the domain-name extension, as inserted by the BNG, to authenticate the user:
open-dhcp-2@domain1 Cleartext-Password := "letmein"
Alc-Subsc-Prof-Str = rad-sub,
Alc-SLA-Prof-Str = rad-sla,
Framed-Route = "192.168.1.0/24 0.0.0.0",
open-pppoe-2@domain1 Cleartext-Password := "letmein"
Alc-Subsc-Prof-Str = rad-sub,
Alc-SLA-Prof-Str = rad-sla,
Framed-Route = "192.168.2.0/24 0.0.0.0",
DHCPv4/v6 servers are locally configured in the SR OS and attached to a loopback interface:
configure
service
vprn 1 customer 1 create
interface "int-DHCP" create
# IPv4 address which the DHCPv4 server is listening on
address 10.10.1.1/24
ipv6
# IPv6 address which the DHCPv6 server is listening on
address 2001:DB8::1/128
# attach the DHCPv6 server to this loopback interface
local-dhcp-server "svc-1-dhcp6"
exit
# attach the DHCPv4 server to this loopback interface
local-dhcp-server "svc-1-dhcp4"
loopback
exit
exit
exit
exit
Group-interface configuration. Note that common parts of the configuration as defined earlier, still apply:
configure
service
vprn 1 customer 1 create
subscriber-interface "sub-int-1" create
group-interface "grp-int-1" create
ipv6
dhcp6
user-db "ludb-2"
# DHCPv6 relay configuration
relay
link-address 2001:DB8:30::
server 2001:DB8::1
client-applications dhcp ppp
no shutdown
exit
exit
exit
arp-populate
# DHCPv6 relay configuration
dhcp
proxy-server
emulated-server 10.12.0.1
no shutdown
exit
option
# SR OS will not insert its own circuit-ID
no circuit-id
# SR OS will not insert its own remote-ID
no remote-id
vendor-specific-option
pool-name
exit
exit
server 10.10.1.1
client-applications dhcp ppp
user-db "ludb-2"
no shutdown
exit
pppoe
policy "pppoe-pol-1"
session-limit 1000
sap-session-limit 1000
user-db "ludb-2"
no shutdown
exit
exit
exit
no shutdown
exit
exit
exit
Lease times for IPv4 and IPv6 are configured in the local DHCP server. Lease times under the local DHCP server are used only in the relay case (when IP address is supplied via DHCP server and not RADIUS or LUDB). In the proxy case, the lease times can be obtained via LUDB, RADIUS, or group-interface.
configure
service
vprn 1 customer 1 create
dhcp
local-dhcp-server "svc-1-dhcp4" create
# gi-address can be used to select the pool
use-gi-address
# pool name can be explicitly provided
use-pool-from-client
# pool used when LUDB provides the pool name
pool "ludb" create
options
dns-server 172.16.16.16 172.16.16.17
lease-time hrs 1
exit
subnet 10.10.0.0/24 create
options
subnet-mask 255.255.255.0
default-router 10.10.0.1
exit
address-range 10.10.0.100 10.10.0.200
exit
exit
# pool selected based on the gi-address
pool "gi-addr" create
options
dns-server 172.16.16.16 172.16.16.17
lease-time hrs 1
exit
subnet 10.12.0.0/24 create
options
subnet-mask 255.255.255.0
default-router 10.12.0.1
exit
address-range 10.12.0.100 10.12.0.200
exit
exit
no shutdown
exit
exit
dhcp6
local-dhcp-server "svc-1-dhcp6" create
use-link-address
use-pool-from-client
pool "ludb" create
prefix 2001:DB8:10::/48 pd wan-host create
preferred-lifetime min 30
rebind-timer min 20
renew-timer min 15
valid-lifetime hrs 1
options
dns-server 2001:DB8::1000 2001:DB8::1001
exit
exit
exit
pool "gi-addr" create
prefix 2001:DB8:30::/48 pd wan-host create
preferred-lifetime min 30
rebind-timer min 20
renew-timer min 15
valid-lifetime hrs 1
options
dns-server 2001:DB8::1000 2001:DB8::1001
exit
exit
exit
no shutdown
exit
exit
exit
exit
exit
RADIUS sub/sla-profiles supplied via RADIUS are used:
configure
subscriber-mgmt
sla-profile "rad-sla" create
description "sla-profile obtained from RADIUS"
host-limits
overall 100
exit
egress
qos 1 vport-scheduler
exit
ip-filter 1
exit
exit
sub-profile "rad-sub" create
description "sub-profile obtained from RADIUS"
egress
agg-rate-limit 15000
exit
exit
exit
exit
Show Commands
The following command shows that the rad-sub/sla-profiles, as supplied via RADIUS, are in use.
The IP addresses are selected from the pool-name LUDB in the local DHCP server. The subscriber-id is circuit-id for IPoE subscriber-host and the username|session-id combination for PPPoE subscriber host.
*A:BNG-1# show service active-subscribers
===============================================================================
Active Subscribers
===============================================================================
-------------------------------------------------------------------------------
Subscriber open-dhcp-2 (rad-sub)
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
(1) SLA Profile Instance sap:[1/1/1:12] - sla:rad-sla
-------------------------------------------------------------------------------
IP Address
MAC Address Session Origin Svc Fwd
-------------------------------------------------------------------------------
10.10.0.102
00:0c:29:00:00:12 N/A DHCP 1 Y
2001:db8:10:101::1/128
00:0c:29:00:00:12 N/A DHCP6 1 Y
2001:db8:10:200::/56
00:0c:29:00:00:12 N/A DHCP6 1 Y
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Subscriber open-pppoe-2|1 (rad-sub)
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
(1) SLA Profile Instance sap:[1/1/1:22] - sla:rad-sla
-------------------------------------------------------------------------------
IP Address
MAC Address Session Origin Svc Fwd
-------------------------------------------------------------------------------
10.10.0.103
00:0c:29:00:00:22 PPP 1 IPCP 1 Y
2001:db8:10:102::1/128
00:0c:29:00:00:22 PPP 1 DHCP6 1 Y
2001:db8:10:300::/56
00:0c:29:00:00:22 PPP 1 DHCP6-PD 1 Y
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Number of active subscribers : 2
===============================================================================
*A:BNG-1#
The following command shows more details about the subscriber-host, such as the group-interface, vport, address origin, acct-session-id, etc. Vport is selected based on the inter-dest-id string supplied via the LUDB.
For the purpose of brevity, the output for only two IP addresses hosts is shown, one with an IPv4 address and one with an IPv6 address. The remaining IP addresses/prefixes are not shown because the output follows the same logic.
*A:BNG-1# show service id 1 subscriber-hosts detail
=============================================================
Subscriber Host table
=============================================================
Sap Subscriber
IP Address
MAC Address PPPoE-SID Origin Fwding State
-------------------------------------------------------------
[1/1/1:12] open-dhcp-2
10.10.0.102
00:0c:29:00:00:12 N/A DHCP Fwding
-------------------------------------------------------------
Subscriber-interface : sub-int-1
Group-interface : grp-int-1
Sub Profile : rad-sub
SLA Profile : rad-sla
App Profile : N/A
Egress Q-Group : N/A
Egress Vport : open-dhcp
Acct-Session-Id : 14F2FF0000002F59116C4A
Acct-Q-Inst-Session-Id: 14F2FF0000003059116C4A
Address Origin : Dynamic
OT HTTP Rdr IP-FltrId : N/A
OT HTTP Rdr Status : N/A
OT HTTP Rdr Fltr Src : N/A
HTTP Rdr URL Override : N/A
GTP local break-out : No
DIAMETER session ID Gx: N/A
-------------------------------------------------------------
[1/1/1:12] open-dhcp-2
2001:db8:10:101::1/128
00:0c:29:00:00:12 N/A IPoE-DHCP6 Fwding
-------------------------------------------------------------
---snip---
-------------------------------------------------------------
[1/1/1:12] open-dhcp-2
2001:db8:10:200::/56
00:0c:29:00:00:12 N/A IPoE-DHCP6 Fwding
-------------------------------------------------------------
---snip---
-------------------------------------------------------------
[1/1/1:22] open-pppoe-2|1
10.10.0.103
00:0c:29:00:00:22 1 IPCP Fwding
-------------------------------------------------------------
---snip---
-------------------------------------------------------------
[1/1/1:22] open-pppoe-2|1
2001:db8:10:102::1/128
00:0c:29:00:00:22 1 PPP-DHCP6 Fwding
-------------------------------------------------------------
---snip---
-------------------------------------------------------------
[1/1/1:22] open-pppoe-2|1
2001:db8:10:300::/56
00:0c:29:00:00:22 1 PPP-DHCP6 Fwding
-------------------------------------------------------------
Subscriber-interface : sub-int-1
Group-interface : grp-int-1
Sub Profile : rad-sub
SLA Profile : rad-sla
App Profile : N/A
Egress Q-Group : N/A
Egress Vport : open-dhcp
Acct-Session-Id : 14F2FF0000003759116C68
Acct-Q-Inst-Session-Id: 14F2FF0000003559116C68
Address Origin : Dynamic
OT HTTP Rdr IP-FltrId : N/A
OT HTTP Rdr Status : N/A
OT HTTP Rdr Fltr Src : N/A
HTTP Rdr URL Override : N/A
GTP local break-out : No
DIAMETER session ID Gx: N/A
-------------------------------------------------------------
Number of subscriber hosts : 6
=============================================================
*A:BNG-1#
The following command shows that the subscriber identity is set to circuit-id (plus session-id) as instructed by auto-sub-id-key command (subscriber-id string is not returned via the LUDB or RADIUS). The lease times are set to 1h as defined in the DHCP server. The username passed to RADIUS is a circuit-id or a username appended with the domain1 domain name.
*A:BNG-1# show service id 1 dhcp lease-state detail
===============================================================================
DHCP lease states for service 1
===============================================================================
Service ID : 1
IP Address : 10.10.0.102
Client HW Address : 00:0c:29:00:00:12
Subscriber-interface : sub-int-1
Group-interface : grp-int-1
SAP : [1/1/1:12]
Termination Type : local
Up Time : 0d 00:01:36
Remaining Lease Time : 0d 00:58:25
Remaining SessionTime: N/A
Persistence Key : N/A
Sub-Ident : "open-dhcp-2"
Sub-Profile-String : "rad-sub"
SLA-Profile-String : "rad-sla"
App-Profile-String : ""
Lease ANCP-String : ""
Lease Int Dest Id : "open-auth-vport"
Category-Map-Name : ""
Lease Info origin : DHCP
Ip-Netmask : 255.255.255.0
Broadcast-Ip-Addr : N/A
Default-Router : 10.10.0.1
Primary-Dns : 172.16.16.16
Secondary-Dns : 172.16.16.17
Primary-Nbns : N/A
Secondary-Nbns : N/A
ServerLeaseStart : 05/09/2017 09:14:18
ServerLastRenew : 05/09/2017 09:14:18
ServerLeaseEnd : 05/09/2017 10:14:18
Session-Timeout : N/A
IPoE|PPP session : No
Lease-Time : 0d 01:00:00
DHCP Server Addr : 10.10.1.1
Relay Agent Information
Circuit Id : open-dhcp-2
Radius User-Name : "open-dhcp-2@domain1"
-------------------------------------------------------------------------------
Managed Routes
-------------------------------------------------------------------------------
IP Address Status Metric Tag Pref
-------------------------------------------------------------------------------
192.168.1.0/24 installed 0 none 0
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Number of lease states : 1
===============================================================================
*A:BNG-1#
For the purpose of brevity the output for only two IPv6 leases is shown. The remaining two IPv6 leases are not shown because the output follows the same logic.
*A:BNG-1# show service id 1 dhcp6 lease-state detail
===============================================================================
DHCP lease states for service 1
===============================================================================
Service ID : 1
IP Address : 2001:db8:10:101::1/128
Client HW Address : 00:0c:29:00:00:12
Subscriber-interface : sub-int-1
Group-interface : grp-int-1
SAP : [1/1/1:12]
Termination Type : local
Up Time : 0d 00:01:59
Remaining Lease Time : 0d 00:58:02
Remaining SessionTime: N/A
Persistence Key : N/A
Sub-Ident : "open-dhcp-2"
Sub-Profile-String : "rad-sub"
SLA-Profile-String : "rad-sla"
App-Profile-String : ""
Lease ANCP-String : ""
Lease Int Dest Id : "open-auth-vport"
Category-Map-Name : ""
Dhcp6 ClientId (DUID): 0001000120a33b22000c29000012
Dhcp6 IAID : 2
Dhcp6 IAID Type : non-temporary
Dhcp6 Client Ip : fe80::20c:29ff:fe00:12
Primary-Dns : N/A
Secondary-Dns : N/A
Pool Name : "ludb"
Dhcp6 Server Addr : 2001:db8::1
Dhcp6 ServerId (DUID): 0003000114f2ff000000
Dhcp6 InterfaceId : open-dhcp-2
Dhcp6 RemoteId : N/A
Radius sub-if prefix : N/A
Router adv. policy : N/A
Lease Info origin : DHCP
ServerLeaseStart : 05/09/2017 09:14:27
ServerLastRenew : 05/09/2017 09:14:27
ServerLeaseEnd : 05/09/2017 10:14:27
Session-Timeout : N/A
IPoE|PPP session : No
Radius User-Name : "open-dhcp-2@domain1"
-------------------------------------------------------------------------------
Service ID : 1
IP Address : 2001:db8:10:102::1/128
Client HW Address : 00:0c:29:00:00:22
---snip---
-------------------------------------------------------------------------------
Service ID : 1
IP Address : 2001:db8:10:200::/56
Client HW Address : 00:0c:29:00:00:12
---snip---
-------------------------------------------------------------------------------
Service ID : 1
IP Address : 2001:db8:10:300::/56
Client HW Address : 00:0c:29:00:00:22
Subscriber-interface : sub-int-1
Group-interface : grp-int-1
SAP : [1/1/1:22]
Termination Type : local
Up Time : 0d 00:01:39
Remaining Lease Time : 0d 00:58:21
Remaining SessionTime: N/A
Persistence Key : N/A
Sub-Ident : "open-pppoe-2|1"
Sub-Profile-String : "rad-sub"
SLA-Profile-String : "rad-sla"
App-Profile-String : ""
Lease ANCP-String : ""
Lease Int Dest Id : "open-auth-vport"
Category-Map-Name : ""
Dhcp6 ClientId (DUID): 0001000120a3175e000c29000022
Dhcp6 IAID : 1
Dhcp6 IAID Type : prefix
Dhcp6 Client Ip : fe80::20c:29ff:fe00:22
Primary-Dns : N/A
Secondary-Dns : N/A
Pool Name : "ludb"
Dhcp6 Server Addr : 2001:db8::1
Dhcp6 ServerId (DUID): 0003000114f2ff000000
Dhcp6 InterfaceId : open-pppoe-2
Dhcp6 RemoteId : N/A
Radius sub-if prefix : N/A
Router adv. policy : N/A
Lease Info origin : DHCP
ServerLeaseStart : 05/09/2017 09:14:48
ServerLastRenew : 05/09/2017 09:14:48
ServerLeaseEnd : 05/09/2017 10:14:48
Session-Timeout : N/A
IPoE|PPP session : PPP
Radius User-Name : "open-pppoe-2@domain1"
-------------------------------------------------------------------------------
Number of lease states : 4
===============================================================================
*A:BNG-1#
IP Proxy Case with LUDB + RADIUS Authentication
IP address is assigned via RADIUS.
RADIUS provides IP addresses (IPv6 lease-times are provided under the group-interface) and related parameters (DNS server, IPv4 default-gateway, etc), inter-dest-id string for Vport assignment and a framed route.
LUDB provides sub/sla-profile strings and msap-defaults (routing context parameters and msap-policy).
Vport aggregate rate limit and the port scheduler are now added to the physical port. The Vport is associated with the subscriber through the inter-dest-id string obtained via the LUDB.
configure
port 1/1/1
ethernet
mode access
encap-type dot1q
egress-scheduler-policy "port"
access
egress
vport "open-dhcp" create
agg-rate
rate 500
exit
host-match dest "open-auth-vport" create
exit
exit
exit
exit
no shutdown
exit
exit
The LUDB is used to assign the sub/sla-profile strings.
The domain name domain1 is appended to the username (circuit-id = open-dhcp-3 or username = open-pppoe-3) before an Access-Request is sent to the RADIUS server that is configured in the authentication policy auth-pol-1.
configure
subscriber-mgmt
local-user-db "ludb-3" create
description "for CASE-3"
ipoe
match-list circuit-id
host "open-dhcp-3" create
host-identification
circuit-id string "open-dhcp-3"
exit
auth-policy "auth-pol-1"
auth-domain-name "domain1"
identification-strings 254 create
sla-profile-string "ludb-sla"
sub-profile-string "ludb-sub"
exit
msap-defaults
group-interface "grp-int-1"
policy "msap-pol-1"
service 1
exit
no shutdown
exit
exit
ppp
match-list circuit-id mac username
host "open-ppp-3" create
host-identification
username "open-pppoe-3"
exit
auth-policy "auth-pol-1"
password chap "letmein"
identification-strings 254 create
sla-profile-string "ludb-sla"
sub-profile-string "ludb-sub"
exit
msap-defaults
group-interface "grp-int-1"
policy "msap-pol-1"
service 1
exit
no shutdown
exit
exit
no shutdown
exit
exit
exit
RADIUS is defined via the authentication-policy. The domain name can be appended to the PPPoE subscriber host directly via authentication-policy, while for IPoE subscribers the domain name is appended via authentication-policy in conjunction with LUDB.
configure
subscriber-mgmt
authentication-policy "auth-pol-1" create
description "RADIUS authentication policy"
password "letmein"
ppp-user-name append "domain1"
user-name-format circuit-id append
accept-authorization-change
pppoe-access-method pap-chap
radius-server-policy "rad-serv-pol-1"
exit
exit
exit
The RADIUS user configuration file uses the domain extension as inserted by the BNG node to authenticate the user. The inter-dest-id string and the host IP address are provided by the RADIUS server (proxy case) along with other IP addressing parameters.
The IPv4 lease time (30 minutes) for IPv4 addresses are provided by the RADIUS server, while the lease time (30 minutes) for IPv6 addresses/prefixes are configured under the group-interface.
open-dhcp-3@domain1 Cleartext-Password := "letmein"
Alc-Int-Dest-Id-Str = open-auth-vport,
Framed-IP-Address = 10.10.0.230,
Framed-IP-Netmask = 255.255.255.0,
Alc-Default-Router = 10.10.0.1,
Alc-Lease-Time = 1800,
Client-DNS-Pri = 172.16.20.20,
Client-DNS-Sec = 172.16.20.21,
Alc-IPv6-Address = 2001:db8::100,
Delegated-IPv6-Prefix = 2001:DB8:40:100::/56,
Alc-IPv6-Primary-Dns = 2001:DB8::2000,
Alc-Ipv6-Secondary-Dns = 2001:DB8::2001,
Framed-Route = "192.168.1.0/24 0.0.0.0",
open-pppoe-3@domain1 Cleartext-Password := "letmein"
Alc-Int-Dest-Id-Str = open-auth-vport,
Framed-IP-Address = 10.10.0.231,
Framed-IP-Netmask = 255.255.255.255,
Client-DNS-Pri = 172.16.20.20,
Client-DNS-Sec = 172.16.20.21,
Alc-IPv6-Address = 2001:db8:0:1::100,
Delegated-IPv6-Prefix = 2001:DB8:40:200::/56,
Alc-IPv6-Primary-Dns = 2001:DB8::2000,
Alc-Ipv6-Secondary-Dns = 2001:DB8::2001,
Framed-Route = "192.168.2.0/24 0.0.0.0",
The group-interface configuration is as follows. Note that common parts of the configuration as defined earlier still apply.
configure
service
vprn 1 customer 1 create
subscriber-interface "sub-int-1" create
group-interface "grp-int-1" create
ipv6
dhcp6
proxy-server
renew-timer min 7
rebind-timer min 10
valid-lifetime min 30
preferred-lifetime min 15
client-applications dhcp ppp
no shutdown
exit
exit
exit
dhcp
proxy-server
emulated-server 10.12.0.1
no shutdown
exit
exit
exit
exit
exit
exit
exit
RADIUS sub/sla-profiles supplied via the LUDB are used:
configure
subscriber-mgmt
sla-profile "ludb-sla" create
description "sla-profile obtained via LUDB"
host-limits
overall 100
exit
egress
qos 1 vport-scheduler
exit
ip-filter 1
exit
exit
sub-profile "ludb-sub" create
description "sub-profile obtained via LUDB"
egress
agg-rate-limit 15000
exit
exit
exit
exit
Show Commands
The following command shows that the LUDB-sub/sla-profiles, as supplied via LUDB, are in use. The IP addresses are supplied via the RADIUS server. The subscriber-id is auto-generated (not returned via LUDB or RADIUS) and it is set to circuit-id for the IPoE subscriber-host, and to the username|session-id combination for PPPoE subscriber host.
*A:BNG-1# show service active-subscribers
===============================================================================
Active Subscribers
===============================================================================
-------------------------------------------------------------------------------
Subscriber open-dhcp-3 (ludb-sub)
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
(1) SLA Profile Instance sap:[1/1/1:13] - sla:ludb-sla
-------------------------------------------------------------------------------
IP Address
MAC Address Session Origin Svc Fwd
-------------------------------------------------------------------------------
10.10.0.230
00:0c:29:00:00:13 N/A DHCP 1 Y
2001:db8::100/128
00:0c:29:00:00:13 N/A DHCP6 1 Y
2001:db8:40:100::/56
00:0c:29:00:00:13 N/A DHCP6 1 Y
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Subscriber open-pppoe-3|1 (ludb-sub)
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
(1) SLA Profile Instance sap:[1/1/1:23] - sla:ludb-sla
-------------------------------------------------------------------------------
IP Address
MAC Address Session Origin Svc Fwd
-------------------------------------------------------------------------------
10.10.0.231
00:0c:29:00:00:23 PPP 1 IPCP 1 Y
2001:db8:0:1::100/128
00:0c:29:00:00:23 PPP 1 DHCP6 1 Y
2001:db8:40:200::/56
00:0c:29:00:00:23 PPP 1 DHCP6-PD 1 Y
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Number of active subscribers : 2
===============================================================================
*A:BNG-1#
The following command shows more details about the subscriber-host, such as the group-interface, vport, address origin, acct-session-id, etc. Vport is selected based on the inter-dest-id string supplied via RADIUS.
For the purpose of brevity, the output for only two hosts is shown, one with IPv4 address and one with IPv6 prefix. The remaining IP addresses/prefixes are not shown because the output follows the same logic.
*A:BNG-1# show service id 1 subscriber-hosts detail
=============================================================
Subscriber Host table
=============================================================
Sap Subscriber
IP Address
MAC Address PPPoE-SID Origin Fwding State
-------------------------------------------------------------
[1/1/1:13] open-dhcp-3
10.10.0.230
00:0c:29:00:00:13 N/A DHCP Fwding
-------------------------------------------------------------
Subscriber-interface : sub-int-1
Group-interface : grp-int-1
Sub Profile : ludb-sub
SLA Profile : ludb-sla
App Profile : N/A
Egress Q-Group : N/A
Egress Vport : N/A
Acct-Session-Id : 14F2FF0000003A59119C39
Acct-Q-Inst-Session-Id: 14F2FF0000003B59119C39
Address Origin : AAA
OT HTTP Rdr IP-FltrId : N/A
OT HTTP Rdr Status : N/A
OT HTTP Rdr Fltr Src : N/A
HTTP Rdr URL Override : N/A
GTP local break-out : No
DIAMETER session ID Gx: N/A
-------------------------------------------------------------
[1/1/1:13] open-dhcp-3
2001:db8::100/128
00:0c:29:00:00:12 N/A IPoE-DHCP6 Fwding
-------------------------------------------------------------
---snip---
-------------------------------------------------------------
[1/1/1:13] open-dhcp-3
2001:db8:40:100::/56
00:0c:29:00:00:12 N/A IPoE-DHCP6 Fwding
-------------------------------------------------------------
---snip---
-------------------------------------------------------------
[1/1/1:23] open-pppoe-3|1
10.10.0.231
00:0c:29:00:00:23 1 IPCP Fwding
-------------------------------------------------------------
---snip---
-------------------------------------------------------------
[1/1/1:23] open-pppoe-3|1
2001:db8:0:1::100/128
00:0c:29:00:00:23 1 PPP-DHCP6 Fwding
-------------------------------------------------------------
---snip---
-------------------------------------------------------------
[1/1/1:23] open-pppoe-3|1
2001:db8:40:200::/56
00:0c:29:00:00:23 1 PPP-DHCP6 Fwding
-------------------------------------------------------------
Subscriber-interface : sub-int-1
Group-interface : grp-int-1
Sub Profile : ludb-sub
SLA Profile : ludb-sla
App Profile : N/A
Egress Q-Group : N/A
Egress Vport : N/A
Acct-Session-Id : 14F2FF0000004259119D4E
Acct-Q-Inst-Session-Id: 14F2FF0000004059119D4E
Address Origin : AAA
OT HTTP Rdr IP-FltrId : N/A
OT HTTP Rdr Status : N/A
OT HTTP Rdr Fltr Src : N/A
HTTP Rdr URL Override : N/A
GTP local break-out : No
DIAMETER session ID Gx: N/A
-------------------------------------------------------------
Number of subscriber hosts : 6
=============================================================
*A:BNG-1#
The following command shows that the subscriber identity is set to circuit-id (plus session-id) as instructed by the auto-sub-id-key command (the subscriber-id string is not returned via LUDB or RADIUS). The lease times are set to 30 minutes as defined by RADIUS for IPv4 addresses and by the group-interface for IPv6 addresses/prefixes (proxy-case). The username passed to RADIUS is the circuit-id or username appended with the domain1 domain name. The origin of the lease is RADIUS.
*A:BNG-1# show service id 1 dhcp lease-state detail
===============================================================================
DHCP lease states for service 1
===============================================================================
Service ID : 1
IP Address : 10.10.0.230
Client HW Address : 00:0c:29:00:00:13
Subscriber-interface : sub-int-1
Group-interface : grp-int-1
SAP : [1/1/1:13]
Termination Type : local
Up Time : 0d 00:06:17
Remaining Lease Time : 0d 00:23:43
Remaining SessionTime: N/A
Persistence Key : N/A
Sub-Ident : "open-dhcp-3"
Sub-Profile-String : "ludb-sub"
SLA-Profile-String : "ludb-sla"
App-Profile-String : ""
Lease ANCP-String : ""
Lease Int Dest Id : "open-auth-vport"
Category-Map-Name : ""
Lease Info origin : Radius
Ip-Netmask : 255.255.255.0
Broadcast-Ip-Addr : 10.10.0.255
Default-Router : 10.10.0.1
Primary-Dns : 172.16.20.20
Secondary-Dns : 172.16.20.21
Primary-Nbns : N/A
Secondary-Nbns : N/A
ServerLeaseStart : 05/09/2017 12:38:49
ServerLastRenew : 05/09/2017 12:38:49
ServerLeaseEnd : 05/09/2017 13:08:49
Session-Timeout : N/A
IPoE|PPP session : No
Lease-Time : 0d 00:30:00
DHCP Server Addr : N/A
Relay Agent Information
Circuit Id : open-dhcp-3
Radius User-Name : "open-dhcp-3@domain1"
-------------------------------------------------------------------------------
Managed Routes
-------------------------------------------------------------------------------
IP Address Status Metric Tag Pref
-------------------------------------------------------------------------------
192.168.1.0/24 installed 0 none 0
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Number of lease states : 1
===============================================================================
*A:BNG-1#
For the purpose of brevity, the details for only two IPv6 prefixes are shown. The remaining two IPv6 leases are not shown because the output follows the same logic.
*A:BNG-1# show service id 1 dhcp6 lease-state detail
===============================================================================
DHCP lease states for service 1
===============================================================================
Service ID : 1
IP Address : 2001:db8::100/128
Client HW Address : 00:0c:29:00:00:12
Subscriber-interface : sub-int-1
Group-interface : grp-int-1
SAP : [1/1/1:13]
Termination Type : local
Up Time : 0d 00:06:24
Remaining Lease Time : 0d 00:23:37
Remaining SessionTime: N/A
Persistence Key : N/A
Sub-Ident : "open-dhcp-3"
Sub-Profile-String : "ludb-sub"
SLA-Profile-String : "ludb-sla"
App-Profile-String : ""
Lease ANCP-String : ""
Lease Int Dest Id : "open-auth-vport"
Category-Map-Name : ""
Dhcp6 ClientId (DUID): 0001000120a33b41000c29000012
Dhcp6 IAID : 2
Dhcp6 IAID Type : non-temporary
Dhcp6 Client Ip : fe80::20c:29ff:fe00:12
Primary-Dns : 2001:db8::2000
Secondary-Dns : 2001:db8::2001
Pool Name : ""
Dhcp6 Server Addr : N/A
Dhcp6 ServerId (DUID): N/A
Dhcp6 InterfaceId : open-dhcp-3
Dhcp6 RemoteId : N/A
Radius sub-if prefix : N/A
Router adv. policy : N/A
Lease Info origin : Radius
ServerLeaseStart : 05/09/2017 12:38:59
ServerLastRenew : 05/09/2017 12:38:59
ServerLeaseEnd : 05/09/2017 13:08:59
Session-Timeout : N/A
IPoE|PPP session : No
Radius User-Name : "open-dhcp-3@domain1"
-------------------------------------------------------------------------------
Service ID : 1
IP Address : 2001:db8:0:1::100/128
Client HW Address : 00:0c:29:00:00:23
Subscriber-interface : sub-int-1
Group-interface : grp-int-1
SAP : [1/1/1:23]
---snip---
-------------------------------------------------------------------------------
Service ID : 1
IP Address : 2001:db8:40:100::/56
Client HW Address : 00:0c:29:00:00:12
Subscriber-interface : sub-int-1
Group-interface : grp-int-1
SAP : [1/1/1:13]
---snip---
-------------------------------------------------------------------------------
Service ID : 1
IP Address : 2001:db8:40:200::/56
Client HW Address : 00:0c:29:00:00:23
Subscriber-interface : sub-int-1
Group-interface : grp-int-1
SAP : [1/1/1:23]
Termination Type : local
Up Time : 0d 00:01:58
Remaining Lease Time : 0d 00:28:02
Remaining SessionTime: N/A
Persistence Key : N/A
Sub-Ident : "open-pppoe-3|1"
Sub-Profile-String : "ludb-sub"
SLA-Profile-String : "ludb-sla"
App-Profile-String : ""
Lease ANCP-String : ""
Lease Int Dest Id : "open-auth-vport"
Category-Map-Name : ""
Dhcp6 ClientId (DUID): 0001000120a45903000c29000023
Dhcp6 IAID : 1
Dhcp6 IAID Type : prefix
Dhcp6 Client Ip : fe80::20c:29ff:fe00:23
Primary-Dns : 2001:db8::2000
Secondary-Dns : 2001:db8::2001
Pool Name : ""
Dhcp6 Server Addr : N/A
Dhcp6 ServerId (DUID): N/A
Dhcp6 InterfaceId : open-pppoe-3
Dhcp6 RemoteId : N/A
Radius sub-if prefix : N/A
Router adv. policy : N/A
Lease Info origin : Radius
ServerLeaseStart : 05/09/2017 12:43:26
ServerLastRenew : 05/09/2017 12:43:26
ServerLeaseEnd : 05/09/2017 13:13:26
Session-Timeout : N/A
IPoE|PPP session : PPP
Radius User-Name : "open-pppoe-3@domain1"
-------------------------------------------------------------------------------
Number of lease states : 4
===============================================================================
*A:BNG-1#
IP Proxy Case with LUDB + RADIUS Authentication
The IP address is assigned via LUDB.
RADIUS provides sub/sla-profile strings and a framed IPv4 route.
LUDB provides IP addresses (IPv6 lease-times are provided under the group-interface) and related parameters (DNS server, IPv4 default-gateway, etc), inter-dest-id string for Vport assignment and msap-defaults (routing context parameters and msap-policy).
Vport aggregate rate limit and the port scheduler are now added to the physical port. The Vport is associated with the subscriber through the inter-dest-id string obtained via the LUDB.
configure
port 1/1/1
ethernet
mode access
encap-type dot1q
egress-scheduler-policy "port"
access
egress
vport "open-dhcp" create
agg-rate
rate 500
exit
host-match dest "open-auth-vport" create
exit
exit
exit
exit
no shutdown
exit
exit
The LUDB is used to assign the inter-dest-id string, host IP addresses and IP addressing parameters. The DHCP lease time for IPv4 addresses is set to 15 minutes in the LUDB while lease times for IPv6 addresses/prefixes is set under the group-interface (set to 30 minutes).
The domain name domain1 is appended to the username (circuit-id = open-dhcp-4 or username = open-pppoe-4) before an Access-Request is sent to the RADIUS server that is configured in the authentication-policy auth-pol-1.
configure
subscriber-mgmt
local-user-db "ludb-4" create
description "for CASE-4"
ipoe
match-list circuit-id
host "open-dhcp-4" create
host-identification
circuit-id string "open-dhcp-4"
exit
address 10.10.0.230
auth-policy "auth-pol-1"
auth-domain-name "domain1"
identification-strings 254 create
inter-dest-id "open-auth-vport"
exit
msap-defaults
group-interface "grp-int-1"
policy "msap-pol-1"
service 1
exit
options
subnet-mask 255.255.255.0
default-router 10.10.0.254
dns-server 172.16.20.20 172.16.20.21
lease-time min 15
exit
options6
dns-server 2001:DB8::2000 2001:DB8::2001
exit
ipv6-address 2001:DB8::100
ipv6-delegated-prefix 2001:DB8:40:100::/56
no shutdown
exit
exit
ppp
match-list circuit-id mac username
host "open-ppp-4" create
host-identification
username "open-pppoe-4"
exit
auth-policy "auth-pol-1"
address 10.10.0.231/32
password chap "letmein"
identification-strings 254 create
inter-dest-id "open-auth-vport"
exit
msap-defaults
group-interface "grp-int-1"
policy "msap-pol-1"
service 1
exit
options
dns-server 172.16.20.20 172.16.20.21
exit
options6
dns-server 2001:DB8::2000 2001:DB8::2001
exit
ipv6-address 2001:DB8::1:0:0:0:100
ipv6-delegated-prefix 2001:DB8:40:200::/56
no shutdown
exit
exit
no shutdown
exit
exit
exit
RADIUS is defined via the authentication-policy. The domain name can be appended to the PPPoE subscriber host directly via authentication-policy while for IPoE subscribers, the domain name is appended via authentication policy in conjunction with LUDB.
configure
subscriber-mgmt
authentication-policy "auth-pol-1" create
description "RADIUS authentication policy"
password "letmein"
ppp-user-name append "domain1"
user-name-format circuit-id append
accept-authorization-change
pppoe-access-method pap-chap
radius-server-policy "rad-serv-pol-1"
exit
exit
exit
The RADIUS user configuration file uses the domain extension as inserted by the SR OS to authenticate the user.
open-dhcp-4@domain1 Cleartext-Password := "letmein"
Alc-Subsc-Prof-Str = rad-sub,
Alc-SLA-Prof-Str = rad-sla,
Framed-Route = "192.168.1.0/24 0.0.0.0",
open-pppoe-4@domain1 Cleartext-Password := "letmein"
Alc-Subsc-Prof-Str = rad-sub,
Alc-SLA-Prof-Str = rad-sla,
Framed-Route = "192.168.2.0/24 0.0.0.0",
The group interface configuration is as follows. Common parts of the configuration as defined earlier still apply.
configure
service
vprn 1 customer 1 create
subscriber-interface "sub-int-1" create
group-interface "grp-int-1" create
ipv6
user-db "ludb-4"
dhcp6
proxy-server
renew-timer min 7
rebind-timer min 10
valid-lifetime min 30
preferred-lifetime min 15
client-applications dhcp ppp
no shutdown
exit
exit
exit
dhcp
proxy-server
emulated-server 10.12.0.1
no shutdown
exit
user-db "ludb-4
exit
exit
exit
exit
exit
exit
RADIUS sub/sla-profiles supplied by RADIUS are defined as:
configure
subscriber-mgmt
sla-profile "ludb-sla" create
description "sla-profile obtained via LUDB"
host-limits
overall 3
exit
egress
qos 1 vport-scheduler
exit
ip-filter 1
exit
exit
sub-profile "ludb-sub" create
description "sub-profile obtained via LUDB"
egress
agg-rate-limit 15000
exit
exit
exit
exit
Show Commands
The following command shows that the rad-sub/sla-profiles, as provided by RADIUS, are in use. The IP addresses are provided by LUDB. The subscriber-id is auto-generated (not returned via the LUDB or RADIUS) and it is set to circuit-id for IPoE subscriber-host(s) and to username|session-id combination for PPPoE subscriber host(s).
*A:BNG-1# show service active-subscribers
===============================================================================
Active Subscribers
===============================================================================
-------------------------------------------------------------------------------
Subscriber open-dhcp-4 (rad-sub)
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
(1) SLA Profile Instance sap:[1/1/1:14] - sla:rad-sla
-------------------------------------------------------------------------------
IP Address
MAC Address Session Origin Svc Fwd
-------------------------------------------------------------------------------
10.10.0.230
00:0c:29:00:00:14 N/A DHCP 1 Y
2001:db8::100/128
00:0c:29:00:00:14 N/A DHCP6 1 Y
2001:db8:40:100::/56
00:0c:29:00:00:14 N/A DHCP6 1 Y
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Subscriber open-pppoe-4|1 (rad-sub)
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
(1) SLA Profile Instance sap:[1/1/1:24] - sla:rad-sla
-------------------------------------------------------------------------------
IP Address
MAC Address Session Origin Svc Fwd
-------------------------------------------------------------------------------
10.10.0.231
00:0c:29:00:00:24 PPP 1 IPCP 1 Y
2001:db8:0:1::100/128
00:0c:29:00:00:24 PPP 1 DHCP6 1 Y
2001:db8:40:200::/56
00:0c:29:00:00:24 PPP 1 DHCP6-PD 1 Y
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Number of active subscribers : 2
===============================================================================
*A:BNG-1#
The following command shows more details about the subscriber-host, such as the group-interface, vport, address origin, acct-session-id, etc. Vport is selected based on the inter-dest-id string as supplied via RADIUS.
For the purpose of brevity, the details for only two hosts is shown, one with IPv4 address and one with IPv6 prefix. The remaining IP addresses/prefixes are not shown because the output follows the same logic.
*A:BNG-1# show service id 1 subscriber-hosts detail
=============================================================
Subscriber Host table
=============================================================
Sap Subscriber
IP Address
MAC Address PPPoE-SID Origin Fwding State
-------------------------------------------------------------
[1/1/1:14] open-dhcp-4
10.10.0.230
00:0c:29:00:00:14 N/A DHCP Fwding
-------------------------------------------------------------
Subscriber-interface : sub-int-1
Group-interface : grp-int-1
Sub Profile : rad-sub
SLA Profile : rad-sla
App Profile : N/A
Egress Q-Group : N/A
Egress Vport : open-dhcp
Acct-Session-Id : 14F2FF000000475911D18B
Acct-Q-Inst-Session-Id: 14F2FF000000445911D087
Address Origin : Static
OT HTTP Rdr IP-FltrId : N/A
OT HTTP Rdr Status : N/A
OT HTTP Rdr Fltr Src : N/A
HTTP Rdr URL Override : N/A
GTP local break-out : No
DIAMETER session ID Gx: N/A
-------------------------------------------------------------
[1/1/1:14] open-dhcp-4
2001:db8::100/128
00:0c:29:00:00:14 N/A IPoE-DHCP6 Fwding
-------------------------------------------------------------
Subscriber-interface : sub-int-1
Group-interface : grp-int-1
Sub Profile : rad-sub
SLA Profile : rad-sla
---snip---
-------------------------------------------------------------
[1/1/1:14] open-dhcp-4
2001:db8:40:100::/56
00:0c:29:00:00:14 N/A IPoE-DHCP6 Fwding
-------------------------------------------------------------
Subscriber-interface : sub-int-1
Group-interface : grp-int-1
Sub Profile : rad-sub
SLA Profile : rad-sla
App Profile : N/A
---snip---
-------------------------------------------------------------
[1/1/1:24] open-pppoe-4|1
10.10.0.231
00:0c:29:00:00:24 1 IPCP Fwding
-------------------------------------------------------------
Subscriber-interface : sub-int-1
Group-interface : grp-int-1
Sub Profile : rad-sub
SLA Profile : rad-sla
---snip---
-------------------------------------------------------------
[1/1/1:24] open-pppoe-4|1
2001:db8:0:1::100/128
00:0c:29:00:00:24 1 PPP-DHCP6 Fwding
-------------------------------------------------------------
Subscriber-interface : sub-int-1
Group-interface : grp-int-1
Sub Profile : rad-sub
SLA Profile : rad-sla
---snip---
-------------------------------------------------------------
[1/1/1:24] open-pppoe-4|1
2001:db8:40:200::/56
00:0c:29:00:00:24 1 PPP-DHCP6 Fwding
-------------------------------------------------------------
Subscriber-interface : sub-int-1
Group-interface : grp-int-1
Sub Profile : rad-sub
SLA Profile : rad-sla
App Profile : N/A
Egress Q-Group : N/A
Egress Vport : open-dhcp
Acct-Session-Id : 14F2FF0000004C5911D288
Acct-Q-Inst-Session-Id: 14F2FF0000004A5911D288
Address Origin : Static
OT HTTP Rdr IP-FltrId : N/A
OT HTTP Rdr Status : N/A
OT HTTP Rdr Fltr Src : N/A
HTTP Rdr URL Override : N/A
GTP local break-out : No
DIAMETER session ID Gx: N/A
-------------------------------------------------------------
Number of subscriber hosts : 6
=============================================================
*A:BNG-1#
The following command shows that the subscriber identity is set to circuit-id (plus session-id) as instructed by the auto-sub-id-key command (the subscriber-id string is not returned via the LUDB or RADIUS). The DHCPv4 lease time is set to set to 15 minutes as defined by the LUDB. The DHCPv6 lease times are set to 30 minutes as configured under the group-interface. The username passed to RADIUS is the circuit-id or username appended with the domain1 domain name. The origin of the lease is RADIUS.
*A:BNG-1# show service id 1 dhcp lease-state detail
===============================================================================
DHCP lease states for service 1
===============================================================================
Service ID : 1
IP Address : 10.10.0.230
Client HW Address : 00:0c:29:00:00:14
Subscriber-interface : sub-int-1
Group-interface : grp-int-1
SAP : [1/1/1:14]
Termination Type : local
Up Time : 0d 00:09:25
Remaining Lease Time : 0d 00:13:07
Remaining SessionTime: N/A
Persistence Key : N/A
Sub-Ident : "open-dhcp-4"
Sub-Profile-String : "rad-sub"
SLA-Profile-String : "rad-sla"
App-Profile-String : ""
Lease ANCP-String : ""
Lease Int Dest Id : "open-auth-vport"
Category-Map-Name : ""
Lease Info origin : UserDb
Ip-Netmask : 255.255.255.0
Broadcast-Ip-Addr : 10.10.0.255
Default-Router : 10.10.0.254
Primary-Dns : 172.16.20.20
Secondary-Dns : 172.16.20.21
Primary-Nbns : N/A
Secondary-Nbns : N/A
ServerLeaseStart : 05/09/2017 16:26:19
ServerLastRenew : 05/09/2017 16:33:50
ServerLeaseEnd : 05/09/2017 16:48:50
Session-Timeout : N/A
IPoE|PPP session : No
Lease-Time : 0d 00:15:00
DHCP Server Addr : N/A
Relay Agent Information
Circuit Id : open-dhcp-4
Radius User-Name : "open-dhcp-4@domain1"
-------------------------------------------------------------------------------
Managed Routes
-------------------------------------------------------------------------------
IP Address Status Metric Tag Pref
-------------------------------------------------------------------------------
192.168.1.0/24 installed 0 none 0
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Number of lease states : 1
===============================================================================
*A:BNG-1#
For the purpose of brevity, the details for only two IPv6 leases is shown. The remaining two IPv6 leases are not shown because the output follows the same logic.
*A:BNG-1# show service id 1 dhcp6 lease-state detail
===============================================================================
DHCP lease states for service 1
===============================================================================
Service ID : 1
IP Address : 2001:db8::100/128
Client HW Address : 00:0c:29:00:00:14
Subscriber-interface : sub-int-1
Group-interface : grp-int-1
SAP : [1/1/1:14]
Termination Type : local
Up Time : 0d 00:13:48
Remaining Lease Time : 0d 00:23:11
Remaining SessionTime: N/A
Persistence Key : N/A
Sub-Ident : "open-dhcp-4"
Sub-Profile-String : "rad-sub"
SLA-Profile-String : "rad-sla"
App-Profile-String : ""
Lease ANCP-String : ""
Lease Int Dest Id : "open-auth-vport"
Category-Map-Name : ""
Dhcp6 ClientId (DUID): 0001000120a487cf000c29000014
Dhcp6 IAID : 2
Dhcp6 IAID Type : non-temporary
Dhcp6 Client Ip : fe80::20c:29ff:fe00:14
Primary-Dns : 2001:db8::2000
Secondary-Dns : 2001:db8::2001
Pool Name : ""
Dhcp6 Server Addr : N/A
Dhcp6 ServerId (DUID): N/A
Dhcp6 InterfaceId : open-dhcp-4
Dhcp6 RemoteId : N/A
Radius sub-if prefix : N/A
Router adv. policy : N/A
Lease Info origin : UserDb
ServerLeaseStart : 05/09/2017 16:22:26
ServerLastRenew : 05/09/2017 16:29:25
ServerLeaseEnd : 05/09/2017 16:59:25
Session-Timeout : N/A
IPoE|PPP session : No
Radius User-Name : "open-dhcp-4@domain1"
-------------------------------------------------------------------------------
Service ID : 1
IP Address : 2001:db8:0:1::100/128
Client HW Address : 00:0c:29:00:00:24
Subscriber-interface : sub-int-1
Group-interface : grp-int-1
SAP : [1/1/1:24]
---snip---
-------------------------------------------------------------------------------
Service ID : 1
IP Address : 2001:db8:40:100::/56
Client HW Address : 00:0c:29:00:00:14
Subscriber-interface : sub-int-1
Group-interface : grp-int-1
SAP : [1/1/1:14]
---snip---
-------------------------------------------------------------------------------
Service ID : 1
IP Address : 2001:db8:40:200::/56
Client HW Address : 00:0c:29:00:00:24
Subscriber-interface : sub-int-1
Group-interface : grp-int-1
SAP : [1/1/1:24]
Termination Type : local
Up Time : 0d 00:05:44
Remaining Lease Time : 0d 00:24:16
Remaining SessionTime: N/A
Persistence Key : N/A
Sub-Ident : "open-pppoe-4|1"
Sub-Profile-String : "rad-sub"
SLA-Profile-String : "rad-sla"
App-Profile-String : ""
Lease ANCP-String : ""
Lease Int Dest Id : "open-auth-vport"
Category-Map-Name : ""
Dhcp6 ClientId (DUID): 0001000120a45933000c29000024
Dhcp6 IAID : 1
Dhcp6 IAID Type : prefix
Dhcp6 Client Ip : fe80::20c:29ff:fe00:24
Primary-Dns : 2001:db8::2000
Secondary-Dns : 2001:db8::2001
Pool Name : ""
Dhcp6 Server Addr : N/A
Dhcp6 ServerId (DUID): N/A
Dhcp6 InterfaceId : open-pppoe-4
Dhcp6 RemoteId : N/A
Radius sub-if prefix : N/A
Router adv. policy : N/A
Lease Info origin : UserDb
ServerLeaseStart : 05/09/2017 16:30:32
ServerLastRenew : 05/09/2017 16:30:32
ServerLeaseEnd : 05/09/2017 17:00:32
Session-Timeout : N/A
IPoE|PPP session : PPP
Radius User-Name : "open-pppoe-4@domain1"
-------------------------------------------------------------------------------
Number of lease states : 4
===============================================================================
*A:BNG-1#
Troubleshooting Commands
The following output shows the debugging commands which can be used to troubleshoot problems with the different authentication models.
debug
router "Base"
radius
packet-type authentication accounting coa
detail-level medium
exit
exit
router "1"
ip
dhcp
detail-level high
mode egr-ingr-and-dropped
exit
dhcp6
mode egr-ingr-and-dropped
detail-level high
exit
exit
local-dhcp-server "svc-1-dhcp4"
detail-level high
mode egr-ingr-and-dropped
exit
local-dhcp-server "svc-1-dhcp6"
detail-level high
mode egr-ingr-and-dropped
exit
exit
service
id 1
ppp
packet
mode egr-ingr-and-dropped
detail-level high
discovery
ppp
dhcp-client
exit
exit
exit
id 2
dhcp
mode egr-ingr-and-dropped
detail-level high
exit
dhcp6
mode all
detail-level high
exit
ppp
packet
mode dropped-only
detail-level high
discovery
ppp
dhcp-client
exit
exit
exit
exit
subscriber-mgmt
local-user-db "ludb-1"
detail all
exit
local-user-db "ludb-2"
detail all
exit
local-user-db "ludb-3"
detail all
exit
local-user-db "ludb-4"
detail all
exit
exit
exit
configure
log
log-id 1
from debug-trace
to session
no shutdown
exit
exit
exit
Conclusion
The flexible authentication model allows access to various sources (LUDB, RADIUS, and Python) of subscriber parameters during the subscriber establishment phase. This model can be utilized for IPoE, PPPoE or L2TP subscribers in IES or VPRN services (including a wholesale/retail VRF model). A typical use case would be in a wholesale/retail environment where the wholesaler enforces its own rules via the LUDB before it passes the authentication request to the retailer’s RADIUS server.