Local User Database for Enhanced Subscriber Management
This chapter provides information about local user database for enhanced subscriber management.
Topics in this chapter include:
Applicability
This chapter was initially written based on SR OS Release 13.0.R6. The CLI in the current edition corresponds to SR OS Release 16.0.R4.
Having knowledge of ESM Basics, the Routed CO model, and Local User Database Basics are prerequisites for understanding this chapter.
Overview
A local user database (LUDB) is a data source providing enhanced subscriber management (ESM) data so that subscribers and subscriber hosts can be instantiated when end-users connect their devices. ESM data includes identification strings, IP address/prefix, profiles, and so on. See the ESM Basics chapter for more information.
LUDBs offer a self-contained method for providing the ESM data, so that no additional ESM data sources are needed.
Alternative ESM data sources are: RADIUS, Diameter NASREQ, Diameter Gx, DHCP-server, Python, and defaults.
Mixed scenarios, where part of the data is provided by an LUDB and the remaining part is provided through RADIUS, are the subject of the Flexible Authentication Model in ESM chapter.
LUDBs can be used for the following applications:
-
assisting a DHCPv4 server in assigning fixed IP addresses to dedicated devices; see the Local User Database for DHCPv4 Server chapter.
-
authenticating devices, so that ESM hosts and subscribers can be instantiated. This is supported for the Routed CO model only.
-
authenticating devices as a fallback for RADIUS authentication, in case the RADIUS server is not available. This is supported for the Routed CO model only.
This chapter describes the use of LUDBs for authentication, including:
-
parameters that can be returned by LUDBs
-
contexts where LUDBs can be applied in the system
LUDB authentication is supported:
for IPoE as well as for PPP
for regular SAPs as well as for capture and managed SAPs
for the proxy scenario as well as for the relay scenario
LUDB authentication can be started directly through one of the following protocol triggers; see LUDB authentication:
DHCPv4 Discover
DHCPv6 Solicit
PPPoE PADI
PPPoA Conf Req
Router Solicit [RS]
When triggered, ESM can directly access an LUDB because the LUDB is applied to the service directly (through one of its sub-contexts), or indirectly as a fallback action for RADIUS (through the authentication policy); see Direct and indirect LUDB authentication. ARP requests can only trigger LUDB authentication indirectly.
An authentication policy can be referenced from a group interface and a capture SAP, or from an LUDB.
Three ESM scenarios in which an LUDB is accessed are as follows:
ESM gets all the data needed for host creation directly from the LUDB.
ESM gets some data from the LUDB and the remaining data from an AAA server (RADIUS, NASREQ, Gx). This requires the LUDB to provide an authentication or a Diameter application policy, and no authentication or Diameter policy at the group interface level.
ESM tries to fetch the data from a RADIUS server, but because this server is not reachable, ESM falls back to an LUDB.
The examples in the Configuration section of this chapter describe the first and the last scenario. The second scenario is described in the Flexible Authentication Model in ESM chapter.
LUDB input and output parameters
As described in the Local User Database Basics chapter, when processing an LUDB lookup request, the input parameters are filtered and optionally masked before searching through the entries in the database. Every entry, except for the default, contains one or more host-identification fields that are used for matching purposes. As a result of the lookup process, these output parameters are then used for host creation.
The following IPoE host-identification fields are supported when accessing an LUDB for ESM; see LUDB parameters for IPoE:
mac
circuit-id + remote-id
option60 (excluded for the IPoE session model)
sap-id + encap-tag-range
service-id
string
system-id
The LUDB lookup process can take up to four IPoE match-criteria into account, as defined by the IPoE match-list.
The following PPP host-identification fields are supported when accessing an LUDB for ESM; see LUDB parameters for PPPoE:
mac
circuit-id + remote-id
sap-id + encap-tag-range
service-name (PPPoE tag: service name)
username (excluded for the RADIUS fallback scenario)
The LUDB lookup process can take up to three PPP match-criteria into account, as defined by the PPP match-list.
The fields output from the lookup process include the identification strings, options, and others.
See LUDB parameters for IPoE and LUDB parameters for PPPoE for the full list of input and output parameters for IPoE and PPPoE, respectively.
Applying an LUDB for ESM
LUDB authentication for regular SAPs requires an LUDB to be applied at the group interface level in the Layer 3 service (VPRN or IES); see LUDB authentication for regular SAPs. All the SAPs on that group interface share the same authentication configuration. See the Local User Database for DHCPv4 Server chapter for the scenario where a user database is attached to a DHCPv4 server.
LUDB authentication for capture and managed SAPs requires an LUDB to be assigned at capture SAP level in the Layer 2 service (capture-VPLS), and at the group interface level in the Layer 3 service (VPRN or IES). Because the trigger messages to create the managed SAPs are received on the capture SAP and subsequent messages on the managed SAP, the authentication configurations for the Layer 2 and the Layer 3 service must align, including the LUDBs; see LUDB authentication for capture and managed SAPs.
The following CLI commands are available for applying LUDBs:
configure service vprn | ies subscriber-interface <x> group-interface <y>
dhcp user-db <local-user-db-name>
ipoe-session user-db <local-user-db-name>
ipv6 dhcp6 user-db <local-user-db-name>
ipv6 router-solicit user-db <local-user-db-name>
ppp user-db <local-user-db-name>
pppoe user-db <local-user-db-name>
wpp user-db <local-user-db-name>
configure service vpls <x> sap <y>
dhcp-user-db <local-user-db-name>
dhcp6-user-db <local-user-db-name>
ipoe-session user-db <local-user-db-name>
ppp-user-db <local-user-db-name>
pppoe-user-db <local-user-db-name>
rtr-solicit-user-db <local-user-db-name>
An LUDB can be assigned in different contexts, and can be reused. Assuming an LUDB contains both IPoE as well as PPP entries, this LUDB is likely to be assigned in a dhcp context as well as in a ppp or a pppoe context.
Configuration guidelines
The following rules have to be observed when configuring authentication for regular, capture, and managed SAPs:
If an authentication policy is applied at the capture SAP or group interface level, that authentication policy has priority, no matter whether or in which other sub-contexts an LUDB is assigned. Only when the AAA/RADIUS server referenced from the authentication policy is not available, can the SR OS rely on a fallback LUDB if configured. In that case, only a limited set of parameters are returned; see LUDB parameters for IPoE and LUDB parameters for PPPoE.
This means that for an LUDB to provide ESM data, no authentication policy may be applied at the capture SAP or group interface level, provided that the LUDB is in the no shutdown state.
An LUDB can return an authentication policy so that the ESM data can be partially provided by the LUDB, and partially by an AAA/RADIUS server. For this mixed scenario, RADIUS fallback is only possible for PPP, PPPoE, DHCPv4, IPoE sessions, and WPP, but not for DHCPv6 and IPv6 router solicitation. For more information, see the Flexible Authentication Model in ESM chapter. When the AAA/RADIUS server is defined but not available, the SR OS can rely on a fallback LUDB if configured.
LUDB authentication for RADIUS fallback requires an LUDB to be applied to an authentication policy as a fallback action:
configure subscriber-mgmt authentication-policy <name> fallback-action user-db <local-user-db-name>The DHCPv4 server referenced from a group interface in the dhcp context (for supporting the relay scenario) can have an LUDB assigned; see the Local User Database for DHCPv4 Server chapter. See LUDB parameters for IPoE and LUDB parameters for PPPoE for the parameters that this LUDB can return to the DHCPv4 server.
An LUDB cannot be assigned to a DHCPv6 server.
If an LUDB is applied in the ipoe-session context of a group interface or capture SAP, the LUDBs assigned in the dhcp, dhcp6, and router-solicit contexts of the same group interface or capture SAP are ignored.
This avoids accessing the LUDB on every DHCPv4 DORA or DHCPv6 SARR message, which is the case when no IPoE sessions are used.
For IPoE sessions, the LUDB host identification cannot be based on option 60. Entries in the LUDB with host-identification option 60 strings are ignored. All the other LUDB entry match criteria are allowed.
If an LUDB is applied in the ppp or pppoe context of a group interface or capture SAP, PAP or CHAP authentication is based on the password configured in the entry. If no password is required, the password parameter in the LUDB entry must be explicitly set to ignore.
A password verification failure leads to a setup failure.
Configuration
Baseline setup shows the baseline configuration used in this chapter. Dual and single stack end-user devices supporting IPoE and PPPoE connect to the SAPs of IES-1. Different LUDBs are added to this baseline configuration later in this chapter, depending on the scenario.
The following partial configuration applies to IES-1. This service is provisioned with ESM enabled on all of its SAPs, and supports proxy and relay scenarios on all group interfaces for both IPv4 and IPv6. Only the part relevant to subscriber interface sub-int-1 and group interface grp-int-1-1 is shown. The configurations for the other subscriber and group interfaces are similar. Check the ESM Basics and Routed CO chapters for more information.
configure
service
ies 1 customer 1 create
subscriber-interface "sub-int-1" create
address 10.1.1.254/24
---snip---
ipv6
delegated-prefix-len 56
link-local-address fe80::ea:4b:f1
subscriber-prefixes
prefix 2001:db8:101::/48 wan-host
prefix 2001:db8:f101::/48 pd
---snip---
exit
exit
group-interface "grp-int-1-1" create
ipv6
router-advertisements
no shutdown
exit
dhcp6
proxy-server
client-applications dhcp ppp
no shutdown
exit
relay
link-address 2001:db8:101::1
server 2001:db8::11
client-applications dhcp ppp
no shutdown
exit
exit
router-solicit
no shutdown
exit
exit
arp-populate
dhcp
proxy-server
emulated-server 10.1.1.254
no shutdown
exit
option
action keep
exit
server 10.11.11.1
trusted
lease-populate 100
client-applications dhcp ppp
gi-address 10.1.1.254
no shutdown
exit
sap 1/1/1:111 create
sub-sla-mgmt
def-sub-profile "sub-prof-1"
def-sla-profile "sla-prof-1"
sub-ident-policy "sub-id-pol-1"
multi-sub-sap
no shutdown
exit
exit
---snip---
exit
exit
---snip---
For brevity, the configurations of the local DHCPv4 and DHCPv6 servers are not shown.
An excerpt from the LUDB ludb-rsap follows. Host entry-11 defines the settings for a dual stack IPoE host, and host entry-55 the settings for a dual stack PPPoE host. For both hosts, the LUDB provides all the data needed to ensure host instantiation.
configure
subscriber-mgmt
local-user-db "ludb-rsap" create
description "LUDB for Regular SAPs"
ipoe
match-list mac
host "entry-11" create
host-identification
mac 00:00:00:11:11:11
exit
address 10.1.1.211
identification-strings 254 create
subscriber-id "sub-11"
sla-profile-string "sla-prof-1"
sub-profile-string "sub-prof-1"
exit
options
subnet-mask 255.255.255.0
default-router 10.1.1.254
dns-server 2.2.2.2 2.2.2.1
domain-name "domain.org"
custom-option 251 hex 0x010203
exit
options6
dns-server 2001:db8:ddd:1::1 2001:db8:ddd:2::1
exit
ipv6-address 2001:db8:102:11::11
ipv6-delegated-prefix 2001:db8:f102:1100::/56
ipv6-delegated-prefix-len 56
no shutdown
exit
---snip---
exit
ppp
match-list username
host "entry-55" create
host-identification
username "sub55@domain1"
exit
address 10.1.1.225/24
password chap letmein55
identification-strings 254 create
subscriber-id "sub-55"
sla-profile-string "sla-prof-5"
sub-profile-string "sub-prof-3"
exit
options
dns-server 2.2.2.2
exit
options6
dns-server 2001:db8:ddd:1::1 2001:db8:ddd:2::1
exit
ipv6-address 2001:db8:101:55::55
ipv6-delegated-prefix 2001:db8:f101:5500::/56
ipv6-delegated-prefix-len 56
no shutdown
exit
---snip---
exit
no shutdown
exit
IPoE authentication - session model
In this example, the LUDB ludb-rsap is applied to the group interface in the ipoe-session context. This is the Nokia recommended way for supporting IPoE subscribers through an LUDB.
configure
service
ies 1 customer 1 create
subscriber-interface "sub-int-1"
group-interface "grp-int-1-1"
ipoe-session
ipoe-session-policy "ipoe-sess-1"
session-limit 100
user-db "ludb-rsap"
no shutdown
exit
Use the following debug configuration for troubleshooting connection issues.
debug
router "Base"
ip
dhcp
detail-level low
mode egr-ingr-and-dropped
exit
dhcp6
mode egr-ingr-and-dropped
detail-level low
exit
exit
exit
subscriber-mgmt
local-user-db "ludb-rsap"
detail all
exit
exit
exit
The following trace appears when the user with MAC address 00:00:00:11:11:11 first connects using DHCPv4 and subsequently connects using DHCPv6 without removing the DHCPv4 connection. The LUDB is accessed just once, immediately after the DHCPv4 Discover message.
1 2018/11/22 12:45:34.750 CET MINOR: DEBUG #2001 Base PIP
"PIP: DHCP
instance 1 (Base), interface index 4 (grp-int-1-1),
received DHCP Boot Request on Interface grp-int-1-1 (1/1/1:111) Port 67
H/W Type: Ethernet(10Mb) H/W Address Length: 6
ciaddr: 0.0.0.0 yiaddr: 0.0.0.0
siaddr: 0.0.0.0 giaddr: 0.0.0.0
chaddr: 00:00:00:11:11:11 xid: 0x1"
2 2018/11/22 12:45:34.750 CET MINOR: DEBUG #2001 Base LUDB
"LUDB: User lookup success - host found
mac: 00:00:00:11:11:11
Host entry-11 found in user data base ludb-rsap"
3 2018/11/22 12:45:34.750 CET MINOR: DEBUG #2001 Base PIP
"PIP: DHCP
instance 1 (Base), interface index 4 (grp-int-1-1),
transmitted DHCP Boot Reply to Interface grp-int-1-1 (1/1/1:111) Port 68
H/W Type: Ethernet(10Mb) H/W Address Length: 6
ciaddr: 0.0.0.0 yiaddr: 10.1.1.211
siaddr: 10.1.1.254 giaddr: 10.1.1.254
chaddr: 00:00:00:11:11:11 xid: 0x1"
4 2018/11/22 12:45:34.772 CET MINOR: DEBUG #2001 Base PIP
"PIP: DHCP
instance 1 (Base), interface index 4 (grp-int-1-1),
received DHCP Boot Request on Interface grp-int-1-1 (1/1/1:111) Port 67
H/W Type: Ethernet(10Mb) H/W Address Length: 6
ciaddr: 0.0.0.0 yiaddr: 0.0.0.0
siaddr: 0.0.0.0 giaddr: 0.0.0.0
chaddr: 00:00:00:11:11:11 xid: 0x1"
5 2018/11/22 12:45:34.774 CET MINOR: DEBUG #2001 Base PIP
"PIP: DHCP
instance 1 (Base), interface index 4 (grp-int-1-1),
transmitted DHCP Boot Reply to Interface grp-int-1-1 (1/1/1:111) Port 68
H/W Type: Ethernet(10Mb) H/W Address Length: 6
ciaddr: 0.0.0.0 yiaddr: 10.1.1.211
siaddr: 10.1.1.254 giaddr: 10.1.1.254
chaddr: 00:00:00:11:11:11 xid: 0x1"
6 2018/11/22 12:46:00.160 CET MINOR: DEBUG #2001 Base TIP
"TIP: DHCP6_PKT
Incoming DHCP6 Msg : SOLICIT (1)
on itf grp-int-1-1"
7 2018/11/22 12:46:00.160 CET MINOR: DEBUG #2001 Base TIP
"TIP: DHCP6_PKT
Outgoing DHCP6 Msg : ADVERTISE (2)
to itf grp-int-1-1"
8 2018/11/22 12:46:00.179 CET MINOR: DEBUG #2001 Base TIP
"TIP: DHCP6_PKT
Incoming DHCP6 Msg : REQUEST (3)
on itf grp-int-1-1"
9 2018/11/22 12:46:00.180 CET MINOR: DEBUG #2001 Base TIP
"TIP: DHCP6_PKT
Outgoing DHCP6 Msg : REPLY (7)
to itf grp-int-1-1"
The active subscriber hosts for service 1 are shown with the following command.
*A:BNG-1# show service id 1 subscriber-hosts
=============================================================
Subscriber Host table
=============================================================
Sap Subscriber
IP Address
MAC Address PPPoE-SID Origin Fwding State
-------------------------------------------------------------
1/1/1:111 sub-11
10.1.1.211
00:00:00:11:11:11 N/A DHCP Fwding
1/1/1:111 sub-11
2001:db8:102:11::11/128
00:00:00:11:11:11 N/A IPoE-DHCP6 Fwding
1/1/1:111 sub-11
2001:db8:f102:1100::/56
00:00:00:11:11:11 N/A IPoE-DHCP6 Fwding
-------------------------------------------------------------
Number of subscriber hosts : 3
=============================================================
*A:BNG-1#
The following command shows the session details for MAC address 00:00:00:11:11:11. This information aligns with the LUDB configuration of ludb-rsap, and the origin codes are set to UserDb.
*A:BNG-1# show service id 1 ipoe session mac 00:00:00:11:11:11 detail
===============================================================================
IPoE sessions for service 1
===============================================================================
SAP : 1/1/1:111
Mac Address : 00:00:00:11:11:11
Circuit-Id : 11
Remote-Id : AA
Session Key : sap-mac
MC-Standby : No
Subscriber-interface : sub-int-1
Group-interface : grp-int-1-1
Termination Type : local
Up Time : 0d 00:01:25
Session Time Left : N/A
Last Auth Time : 11/22/2018 12:45:35
Min Auth Intvl (left) : infinite (N/A)
Persistence Key : N/A
Subscriber : "sub-11"
Sub-Profile-String : "sub-profile-1"
SLA-Profile-String : "sla-profile-1"
SPI group ID : (Not Specified)
ANCP-String : ""
Int-Dest-Id : ""
App-Profile-String : ""
Category-Map-Name : ""
Acct-Session-Id : "0217FF000000315BF696DE"
Sap-Session-Index : 1
IP Address : 10.1.1.211/24
IP Origin : UserDb
Primary DNS : 2.2.2.2
Secondary DNS : 2.2.2.1
Primary NBNS : N/A
Secondary NBNS : N/A
Address-Pool : N/A
IPv6 Prefix : N/A
IPv6 Prefix Origin : None
IPv6 Prefix Pool : ""
IPv6 Del.Pfx. : 2001:db8:f102:1100::/56
IPv6 Del.Pfx. Origin : UserDb
IPv6 Del.Pfx. Pool : ""
IPv6 Address : 2001:db8:102:11::11
IPv6 Address Origin : UserDb
IPv6 Address Pool : ""
Primary IPv6 DNS : 2001:db8:ddd:1::1
Secondary IPv6 DNS : 2001:db8:ddd:2::1
Router adv. policy : N/A
Radius sub-if prefix : N/A
Radius Session-TO : N/A
Radius Class :
Radius User-Name :
GTP IMSI :
GTP APN : (Not Specified)
-------------------------------------------------------------------------------
Number of sessions : 1
===============================================================================
*A:BNG-1#
The commands for showing the IPv4 and IPv6 lease states display the lease origin codes too, as follows:
*A:BNG-1# show service id 1 dhcp lease-state mac 00:00:00:11:11:11
===============================================================================
DHCP lease state table, service 1
===============================================================================
IP Address Mac Address Sap/Sdp Id Remaining Lease MC
LeaseTime Origin Stdby
-------------------------------------------------------------------------------
10.1.1.211 00:00:00:11:11:11 1/1/1:111 06d23h57m UserDb
-------------------------------------------------------------------------------
Number of lease states : 1
===============================================================================
*A:BNG-1#
*A:BNG-1# show service id 1 dhcp6 lease-state mac 00:00:00:11:11:11
===============================================================================
DHCP lease state table, service 1
===============================================================================
IP Address Mac Address Sap/Sdp Id Remaining Lease MC
LeaseTime Origin Stdby
-------------------------------------------------------------------------------
2001:db8:102:11::11/128
00:00:00:11:11:11 1/1/1:111 23h57m48s UserDb
2001:db8:f102:1100::/56
00:00:00:11:11:11 1/1/1:111 23h57m48s UserDb
-------------------------------------------------------------------------------
Number of lease states : 2
===============================================================================
*A:BNG-1#
IPoE authentication - host model
In this example, the LUDB ludb-rsap is applied to the group interface in the dhcp6, router-solicit, and dhcp contexts, but not in the ipoe-session context.
configure
service
ies 1
subscriber-interface "sub-int-1"
group-interface "grp-int-1-1"
ipv6
dhcp6
user-db "ludb-rsap"
exit
router-solicit
user-db "ludb-rsap"
no shutdown
exit
exit
dhcp
user-db "ludb-rsap"
no shutdown
exit
exit
With the same debug configuration as for the IPoE session model, the LUDB is accessed multiple times when devices connect, as shown in the following trace.
13 2018/11/22 12:50:55.275 CET MINOR: DEBUG #2001 Base PIP
"PIP: DHCP
instance 1 (Base), interface index 4 (grp-int-1-1),
received DHCP Boot Request on Interface grp-int-1-1 (1/1/1:111) Port 67
H/W Type: Ethernet(10Mb) H/W Address Length: 6
ciaddr: 0.0.0.0 yiaddr: 0.0.0.0
siaddr: 0.0.0.0 giaddr: 0.0.0.0
chaddr: 00:00:00:11:11:11 xid: 0x1"
14 2018/11/22 12:50:55.275 CET MINOR: DEBUG #2001 Base LUDB
"LUDB: User lookup success - host found
mac: 00:00:00:11:11:11
Host entry-11 found in user data base ludb-rsap"
15 2018/11/22 12:50:55.275 CET MINOR: DEBUG #2001 Base PIP
"PIP: DHCP
instance 1 (Base), interface index 4 (grp-int-1-1),
transmitted DHCP Boot Reply to Interface grp-int-1-1 (1/1/1:111) Port 68
H/W Type: Ethernet(10Mb) H/W Address Length: 6
ciaddr: 0.0.0.0 yiaddr: 10.1.1.211
siaddr: 10.1.1.254 giaddr: 10.1.1.254
chaddr: 00:00:00:11:11:11 xid: 0x1"
16 2018/11/22 12:50:55.286 CET MINOR: DEBUG #2001 Base PIP
"PIP: DHCP
instance 1 (Base), interface index 4 (grp-int-1-1),
received DHCP Boot Request on Interface grp-int-1-1 (1/1/1:111) Port 67
H/W Type: Ethernet(10Mb) H/W Address Length: 6
ciaddr: 0.0.0.0 yiaddr: 0.0.0.0
siaddr: 0.0.0.0 giaddr: 0.0.0.0
chaddr: 00:00:00:11:11:11 xid: 0x1"
17 2018/11/22 12:50:55.286 CET MINOR: DEBUG #2001 Base LUDB
"LUDB: User lookup success - host found
mac: 00:00:00:11:11:11
Host entry-11 found in user data base ludb-rsap"
18 2018/11/22 12:50:55.288 CET MINOR: DEBUG #2001 Base PIP
"PIP: DHCP
instance 1 (Base), interface index 4 (grp-int-1-1),
transmitted DHCP Boot Reply to Interface grp-int-1-1 (1/1/1:111) Port 68
H/W Type: Ethernet(10Mb) H/W Address Length: 6
ciaddr: 0.0.0.0 yiaddr: 10.1.1.211
siaddr: 10.1.1.254 giaddr: 10.1.1.254
chaddr: 00:00:00:11:11:11 xid: 0x1"
19 2018/11/22 12:51:20.248 CET MINOR: DEBUG #2001 Base TIP
"TIP: DHCP6_PKT
Incoming DHCP6 Msg : SOLICIT (1)
on itf grp-int-1-1"
20 2018/11/22 12:51:20.248 CET MINOR: DEBUG #2001 Base LUDB
"LUDB: User lookup success - host found
mac: 00:00:00:11:11:11
Host entry-11 found in user data base ludb-rsap"
21 2018/11/22 12:51:20.248 CET MINOR: DEBUG #2001 Base TIP
"TIP: DHCP6_PKT
Outgoing DHCP6 Msg : ADVERTISE (2)
to itf grp-int-1-1"
22 2018/11/22 12:51:20.261 CET MINOR: DEBUG #2001 Base TIP
"TIP: DHCP6_PKT
Incoming DHCP6 Msg : REQUEST (3)
on itf grp-int-1-1"
23 2018/11/22 12:51:20.261 CET MINOR: DEBUG #2001 Base LUDB
"LUDB: User lookup success - host found
mac: 00:00:00:11:11:11
Host entry-11 found in user data base ludb-rsap"
24 2018/11/22 12:51:20.262 CET MINOR: DEBUG #2001 Base TIP
"TIP: DHCP6_PKT
Outgoing DHCP6 Msg : REPLY (7)
to itf grp-int-1-1"
The LUDB is accessed for every incoming message. In a proxy case, the LUDB is accessed two times per host because the downstream messages (Offer and Reply for IPv4, Solicit and Reply for IPv6) are generated by ESM. In a relay case, where an IP address or an IP prefix is allocated by the DHCP server, the LUDB is accessed four times per host.
The command to list the active subscriber hosts is the same as for the IPoE session model, and is not repeated here. The same applies to the other commands providing origin codes.
PPPoE authentication
In this example, the LUDB ludb-rsap is applied to the group interface in the pppoe context.
configure
service
ies 1
subscriber-interface "sub-int-1"
group-interface "grp-int-1-1"
pppoe
user-db "ludb-rsap"
no shutdown
exit
exit
The following debug configuration applies for this example.
debug
service
id 1
ppp
packet
mode egr-ingr-and-dropped
detail-level high
discovery
ppp
dhcp-client
exit
exit
exit
exit
subscriber-mgmt
local-user-db "ludb-rsap"
detail all
exit
exit
exit
The trace shows that the LUDB ludb-rsap is accessed once when user sub55@domain1 connects. In this example, the LUDB is accessed in the middle of the CHAP authentication.
---snip---
37 2018/11/22 12:52:59.419 CET MINOR: DEBUG #2001 Base PPPoE
"PPPoE: TX Packet
IES 1, SAP 1/1/1:111
DMAC: 00:00:00:55:55:55
SMAC: 02:17:01:01:00:01
Ether Type: 0x8864 (Session)
PPPoE Header:
Version: 1 Type : 1
Code : 0x00 Session-Id: 0x0001 (1)
Length : 50
PPP:
Protocol : 0xc223 (CHAP)
Code : 1 (Challenge)
Identifier: 1 Length : 48
Value-Size: 38
Value : 3c d2 f7 9c 6b d5 9d 12 0e d7 96 8e ac d8 61 b5 e2 d2 8c 06 8a
8b 50 b3 10 f4 d3 81 80 f8 ca 3d 4b 42 d9 b6 98 78
Name : "BNG-1"
Hex Packet Dump:
11 00 00 01 00 32 c2 23 01 01 00 30 26 3c d2 f7 9c 6b d5 9d 12 0e d7 96 8e
ac d8 61 b5 e2 d2 8c 06 8a 8b 50 b3 10 f4 d3 81 80 f8 ca 3d 4b 42 d9 b6 98
78 42 4e 47 2d 31"
38 2018/11/22 12:52:59.420 CET MINOR: DEBUG #2001 Base PPPoE
"PPPoE: RX Packet
IES 1, SAP 1/1/1:111
DMAC: 02:17:01:01:00:01
SMAC: 00:00:00:55:55:55
Ether Type: 0x8864 (Session)
PPPoE Header:
Version: 1 Type : 1
Code : 0x00 Session-Id: 0x0001 (1)
Length : 36
PPP:
Protocol : 0xc223 (CHAP)
Code : 2 (Response)
Identifier: 1 Length : 34
Value-Size: 16
Value : c5 02 13 0e 6c bf f4 58 61 51 e8 92 91 7c 53 94
Name : "sub55@domain1"
Hex Packet Dump:
11 00 00 01 00 24 c2 23 02 01 00 22 10 c5 02 13 0e 6c bf f4 58 61 51 e8 92
91 7c 53 94 73 75 62 35 35 40 64 6f 6d 61 69 6e 31 00 00 00 00"
39 2018/11/22 12:52:59.420 CET MINOR: DEBUG #2001 Base LUDB
"LUDB: User lookup success - host found
user-name:
original: sub55@domain1
masked: sub55@domain1
Host entry-55 found in user data base ludb-rsap"
40 2018/11/22 12:52:59.420 CET MINOR: DEBUG #2001 Base PPPoE
"PPPoE: TX Packet
IES 1, SAP 1/1/1:111
DMAC: 00:00:00:55:55:55
SMAC: 02:17:01:01:00:01
Ether Type: 0x8864 (Session)
PPPoE Header:
Version: 1 Type : 1
Code : 0x00 Session-Id: 0x0001 (1)
Length : 33
PPP:
Protocol : 0xc223 (CHAP)
Code : 3 (Success)
Identifier: 1 Length : 31
Message: "CHAP authentication success"
Hex Packet Dump:
11 00 00 01 00 21 c2 23 03 01 00 1f 43 48 41 50 20 61 75 74 68 65 6e 74 69
63 61 74 69 6f 6e 20 73 75 63 63 65 73 73"
---snip---
With this dual stack PPP user connected, the subscriber hosts created are:
*A:BNG-1# show service id 1 subscriber-hosts
=============================================================
Subscriber Host table
=============================================================
Sap Subscriber
IP Address
MAC Address PPPoE-SID Origin Fwding State
-------------------------------------------------------------
1/1/1:111 sub-55
10.1.1.225
00:00:00:55:55:55 1 IPCP Fwding
1/1/1:111 sub-55
2001:db8:101:55::55/128
00:00:00:55:55:55 1 PPP-DHCP6 Fwding
1/1/1:111 sub-55
2001:db8:f101:5500::/56
00:00:00:55:55:55 1 PPP-DHCP6 Fwding
-------------------------------------------------------------
Number of subscriber hosts : 3
=============================================================
*A:BNG-1#
Detailed session information for PPP user sub55@domain55 shows the origin codes.
*A:BNG-1# show service id 1 ppp session user-name "sub55@domain1" detail
===============================================================================
PPP sessions for service 1
===============================================================================
User-Name : sub55@domain1
Description : svc:1 sap:1/1/1:111 mac:00:00:00:55:55:55 sid:1
Up Time : 0d 00:01:00
Type : oE
Termination : local
IP/L2TP-Id/If-Id : 10.1.1.225 02:00:00:FF:FE:55:55:55
MC-Standby : No
Session Time Left : N/A
LCP State : Opened
IPCP State : Opened
IPv6CP State : Opened
PPP MTU : 1492
PPP Auth-Protocol : CHAP
PPP User-Name : sub55@domain1
Subscriber-interface : sub-int-1
Group-interface : grp-int-1-1
IP Origin : local-user-db
DNS Origin : local-user-db
NBNS Origin : none
Subscriber : "sub-55"
Sub-Profile-String : "sub-prof-3"
SLA-Profile-String : "sla-prof-5"
SPI group ID : (Not Specified)
---snip---
IP Address : 10.1.1.225/32
Primary DNS : 2.2.2.2
Secondary DNS : N/A
Primary NBNS : N/A
Secondary NBNS : N/A
Address-Pool : N/A
IPv6 Prefix : N/A
IPv6 Prefix Origin : none
IPv6 Prefix Pool : ""
IPv6 Del.Pfx. : 2001:db8:f101:5500::/56
IPv6 Del.Pfx. Origin : local-user-db
IPv6 Del.Pfx. Pool : ""
IPv6 Address : 2001:db8:101:55::55
IPv6 Address Origin : local-user-db
IPv6 Address Pool : ""
Primary IPv6 DNS : 2001:db8:ddd:1::1
Secondary IPv6 DNS : 2001:db8:ddd:2::1
Router adv. policy : N/A
---snip---
-------------------------------------------------------------------------------
No. of sessions: 1
===============================================================================
*A:BNG-1#
The following command shows the lease origin.
*A:BNG-1# show service id 1 dhcp6 lease-state session ppp
===============================================================================
DHCP lease state table, service 1
===============================================================================
IP Address Mac Address Sap/Sdp Id Remaining Lease MC
LeaseTime Origin Stdby
-------------------------------------------------------------------------------
2001:db8:101:55::55/128
00:00:00:55:55:55 1/1/1:111 23h58m07s UserDb
2001:db8:f101:5500::/56
00:00:00:55:55:55 1/1/1:111 23h58m07s UserDb
-------------------------------------------------------------------------------
Number of lease states : 2
===============================================================================
*A:BNG-1#
Regular SAPs versus capture and managed SAPs
When an LUDB is to be used for regular SAPs, the LUDB must be assigned at the group interface level of a Layer 3 service (IES or VPRN). This LUDB is then used for all SAPs on that group interface, as described in the section Applying an LUDB for ESM.
When an LUDB is to be used for capture and managed SAPs, the LUDB must be assigned at the capture SAPs of the Layer 2 (VPLS) service and at the group interface level of the corresponding Layer 3 service (IES or VPRN).
Because the managed SAPs are dynamically created at the group interface of a Layer 3 service, this service must have its authentication configuration aligned with the Layer 2 service; see LUDB authentication for capture and managed SAPs.
Capture and managed SAPs support IPoE (session and host model) and PPP.
The capture VPLS is defined as follows.
configure
service
vpls 3 customer 1 create
stp
shutdown
exit
sap 1/1/2:* capture-sap create
trigger-packet arp dhcp dhcp6 pppoe rtr-solicit
dhcp-user-db "ludb-cmsap"
pppoe-user-db "ludb-cmsap"
ipoe-session
ipoe-session-policy "ipoe-sess-1"
user-db "ludb-cmsap"
no shutdown
exit
msap-defaults
group-interface "grp-int-1-1"
policy "msap-pol-1"
service 2
exit
exit
no shutdown
exit
The VPRN on which the managed SAPs are created is defined as follows.
configure
service
vprn 2 customer 1 create
---snip---
subscriber-interface "sub-int-1" create
address 10.111.1.254/24
ipv6
delegated-prefix-len 56
subscriber-prefixes
prefix 2001:db8:901::/48 wan-host
prefix 2001:db8:f901::/48 pd
exit
exit
group-interface "grp-int-1-1" create
---snip---
ipoe-session
ipoe-session-policy "ipoe-sess-1"
sap-session-limit 100
user-db "ludb-cmsap"
no shutdown
exit
oper-up-while-empty
pppoe
session-limit 100
user-db "ludb-cmsap"
no shutdown
exit
exit
exit
exit
The msap-defaults needed for creation of the managed SAPs can be taken from the capture SAP, but can also be obtained from an LUDB, as the following example shows. In that case, they overrule the capture SAP msap-defaults.
configure
subscriber-mgmt
local-user-db "ludb-cmsap" create
description "LUDB for capture/managed SAPs"
ipoe
match-list mac
host "entry-1" create
host-identification
mac 00:00:00:01:01:01
exit
address 10.111.1.101
identification-strings 254 create
subscriber-id "sub-priv-1"
sla-profile-string "sla-prof-3"
sub-profile-string "sub-prof-4"
exit
msap-defaults
group-interface "grp-int-1-1"
policy "msap-pol-1"
service 2
exit
options
subnet-mask 255.255.255.0
exit
ipv6-address 2001:db8:901:11::11
ipv6-delegated-prefix 2001:db8:f901:1100::/56
ipv6-delegated-prefix-len 56
no shutdown
exit
exit
ppp
match-list mac
host "entry-1" create
host-identification
mac 00:00:00:05:05:05
exit
address 10.111.1.105/32
identification-strings 254 create
subscriber-id "sub-05"
sla-profile-string "sla-prof-2"
sub-profile-string "sub-prof-4"
exit
msap-defaults
group-interface "grp-int-1-1"
policy "msap-pol-1"
service 2
exit
ipv6-address 2001:db8:901:5::5
ipv6-delegated-prefix 2001:db8:f901:500::/56
ipv6-delegated-prefix-len 56
no shutdown
exit
exit
Detailed information on managed and capture SAPs is in the Managed SAPs with Routed CO chapter.
The commands to display the subscribers, lease, and session states with the origin codes are the same as in the section PPPoE authentication, so these are not repeated.
LUDB for ESM as RADIUS fallback
RADIUS fallback can be triggered in the following situations; see also LUDB authentication for regular SAPs and LUDB authentication for capture and managed SAPs:
with the authentication policy directly assigned at the group interface level
with the authentication policy referenced from an LUDB
For the second case, first-level authentication is performed by the LUDB, and second-level authentication should be performed by the RADIUS server. For both cases, when the RADIUS server is not reachable, fallback happens.
RADIUS fallback is not supported when the LUDB is attached to the group interface or capture SAP via the ipv6 dhcp6 and rtr-solicit contexts.
Although RADIUS fallback applies to both IPoE and PPP, only IPoE is shown in the example that follows.
To demonstrate the use of an LUDB for RADIUS fallback, the configuration of the previous example with capture and managed SAPs is modified, as follows.
# the (capture-)VPLS
configure
service
vpls 3 customer 1 create
sap 1/1/2:* capture-sap create
authentication-policy "auth-pol-1"
exit
exit
exit
exit
# the VPRN
configure
service
vprn 2 customer 1 create
subscriber-interface "sub-int-1"
group-interface "grp-int-1-1"
authentication-policy "auth-pol-1"
exit
exit
exit
exit
The authentication policy is applied in the VPLS at the SAP level, and in the VPRN at the group interface level. Even with LUDBs assigned in other contexts at that group interface, the authentication policy takes higher priority.
The LUDB used for RADIUS fallback is defined as follows, and both the ipoe and the ppp sections contain a default host entry.
configure
subscriber-mgmt
local-user-db "ludb-radiusfb" create
description "LUDB for RADIUS fallback"
ipoe
match-list mac
host "default" create
msap-defaults
group-interface "grp-int-1-1"
policy "msap-pol-1"
service 2
exit
no shutdown
exit
exit
ppp
match-list username
host "default" create
msap-defaults
group-interface "grp-int-1-1"
policy "msap-pol-1"
service 2
exit
no shutdown
exit
exit
no shutdown
exit
The authentication policy from which this LUDB is referenced is defined as follows.
configure
subscriber-mgmt
authentication-policy "auth-pol-1" create
fallback-action user-db "ludb-radiusfb"
radius-server-policy "rsp-1"
exit
The definition of the RADIUS server policy is not relevant so it is not shown.
The following debug configuration applies.
debug
router "Base"
radius
packet-type authentication accounting coa
detail-level high
exit
exit
router "2"
ip
dhcp
detail-level medium
mode egr-ingr-and-dropped
exit
exit
exit
service
id 3
dhcp
mode egr-ingr-and-dropped
exit
exit
exit
subscriber-mgmt
local-user-db "ludb-radiusfb"
detail all
exit
exit
exit
The following partial debug output shows that when a DHCPv4 user connects, the LUDB ludb-radiusfb is accessed after failing to connect to the RADIUS server. Similar debug output appears when connecting through DHCPv6 via IPoE sessions, or PPP.
62 2018/11/22 13:03:15.510 CET MINOR: DEBUG #2001 Base SVCMGR
"SVCMGR: RX DHCP Packet
VPLS 3, SAP 1/1/2:*
BootRequest to UDP port 67
ciaddr: 0.0.0.0 yiaddr: 0.0.0.0
siaddr: 0.0.0.0 giaddr: 0.0.0.0
chaddr: 00:00:00:01:01:01 xid: 0x3
DHCP options:
[82] Relay agent information: len = 8
[1] Circuit-id: 11
[2] Remote-id: AA
[53] Message type: Discover
[255] End"
63 2018/11/22 13:03:15.510 CET MINOR: DEBUG #2001 Base RADIUS
"RADIUS: Transmit
server 192.168.66.66:1812 not reachable"
64 2018/11/22 13:03:15.510 CET MINOR: DEBUG #2001 Base RADIUS
"RADIUS: Access-Request
user 00:00:00:01:01:01 policy rsp-1
send failed"
65 2018/11/22 13:03:15.510 CET MINOR: DEBUG #2001 Base LUDB
"LUDB: User lookup success - host found
mac: 00:00:00:01:01:01
Host default found in user data base ludb-radiusfb"
66 2018/11/22 13:03:15.513 CET MINOR: DEBUG #2001 vprn2 PIP
"PIP: DHCP
instance 2 (2), interface index 10 (grp-int-1-1),
received DHCP Boot Request on Interface grp-int-1-1 (1/1/2:123) Port 67
H/W Type: Ethernet(10Mb) H/W Address Length: 6
ciaddr: 0.0.0.0 yiaddr: 0.0.0.0
siaddr: 0.0.0.0 giaddr: 0.0.0.0
chaddr: 00:00:00:01:01:01 xid: 0x3
DHCP options:
[82] Relay agent information: len = 8
[1] Circuit-id: 11
[2] Remote-id: AA
[53] Message type: Discover
[255] End”
---snip---
72 2018/11/22 13:03:15.524 CET MINOR: DEBUG #2001 vprn2 PIP
"PIP: DHCP
instance 2 (2),
received DHCP Boot Reply on 10.111.111.1 Port 67
H/W Type: Ethernet(10Mb) H/W Address Length: 6
ciaddr: 0.0.0.0 yiaddr: 10.111.1.3
siaddr: 10.111.111.1 giaddr: 10.111.1.254
chaddr: 00:00:00:01:01:01 xid: 0x3
DHCP options:
[82] Relay agent information: len = 8
[1] Circuit-id: 11
[2] Remote-id: AA
[53] Message type: Ack
[54] DHCP server addr: 10.111.111.1
[51] Lease time: 864000
[1] Subnet mask: 255.255.255.0
[255] End"
73 2018/11/22 13:03:15.525 CET MINOR: DEBUG #2001 vprn2 PIP
"PIP: DHCP
instance 2 (2), interface index 10 (grp-int-1-1),
transmitted DHCP Boot Reply to Interface grp-int-1-1 (1/1/2:123) Port 68
H/W Type: Ethernet(10Mb) H/W Address Length: 6
ciaddr: 0.0.0.0 yiaddr: 10.111.1.3
siaddr: 10.111.111.1 giaddr: 10.111.1.254
chaddr: 00:00:00:01:01:01 xid: 0x3
DHCP options:
[82] Relay agent information: len = 8
[1] Circuit-id: 11
[2] Remote-id: AA
[53] Message type: Ack
[54] DHCP server addr: 10.111.111.1
[51] Lease time: 864000
[1] Subnet mask: 255.255.255.0
[255] End"
In this example, the LUDB accessed (on RADIUS fallback) defines a default host for ipoe as well as for ppp with msap-defaults only, which means relaying applies where the DHCPv4 and DHCPv6 servers provide the IP addresses and prefixes.
See LUDB parameters for IPoEand LUDB parameters for PPPoE for the list of supported parameters for IPoE and PPP in the RADIUS fallback scenario.
Operational considerations and remarks
The operational considerations listed in the Local User Database Basics chapter still apply.
To maintain backward compatibility with previous software releases, LUDB informational and error messages are sent to the error logs as if they are originating from the DHCPS application (DHCPS #xyz in the preceding outputs).
Conclusion
LUDBs offer a self-contained method of providing ESM data locally stored on the router, so that no external database is needed for supporting authentication. In case authentication relies on an AAA/RADIUS server that fails, an LUDB can provide the ESM data instead through RADIUS fallback. LUDBs can be used on regular, managed, and capture SAPs.