Flexible Authentication Model in ESM

This chapter provides information about Flexible Authentication Models in ESM.

Topics in this chapter include:

Applicability

This chapter is applicable to SR OS routers in the Routed Central Office (RCO) model and was initially written for SR OS Release 11.0.R2, but the CLI in the current edition is based on SR OS Release 15.0.R2.

Overview

The flexible authentication model for IPoE and PPPoE subscribers allows for mixing of configuration parameters obtained during the authentication phase from different sources: Local User Database (LUDB), RADIUS, or DHCP options that can be populated via a custom Python script. In case the same parameter is available from multiple sources, a priority mechanism is enforced whereby the parameter received from a higher priority source overrides the parameters received from the lower priority source in the following priority: LUDB to RADIUS to Python.

In this chapter we will configure a dual-stack IPoE and a dual stack PPPoE host using four different methods to obtain their configuration parameters. The setup will utilize a single BNG node with a locally configured DHCP server and LUDB as well as an external RADIUS server. Subscriber hosts are instantiated on managed (dynamic) SAPs.

The subscriber configuration parameters are in general divided into two categories:

  • IP addressing parameters of the host — IPv4/v6 address/prefix, DNS servers, IPv4 default-gateway, IPv4 subnet-mask, IPv4/v6 address pool name, DHCPv4/v6 lease times, etc.

  • Non IP addressing parameters of the host — Subscriber hosts strings are used to associate the subscriber-host with the desired level of service (sub/sla-profiles, inter-dest-id string, etc); managed routes are used for routing purposes to/from the host; etc.

The following four scenarios will be examined:

  1. DHCP relay case (IP address is assigned via local DHCP server) with NO authentication. See DHCP Relay Case with No Authentication.

  2. DHCP relay case (IP address is assigned via local DHCP server) with LUDB + RADIUS authentication. See DHCP Relay Case with LUDB + RADIUS Authentication.

    RADIUS provides: sub/sla-profile strings and a framed IPv4 route.

    LUDB provides: IP address pool, inter-dest-id string for Vport assignment, msap-defaults (routing context parameters and msap-policy).

  3. IP proxy case (IP address is assigned via RADIUS) with LUDB + RADIUS authentication. IP Proxy Case with LUDB + RADIUS Authentication

    RADIUS provides: IP addresses and related parameters (DNS server, IPv4 default-gateway, etc), inter-dest-id string for Vport assignment and a framed route.

    IPv6 lease-times are provided under the group-interface.

    LUDB provides: sub/sla-profile strings and msap-defaults (routing context parameters and msap-policy).

  4. IP proxy case (IP address is assigned via LUDB) with LUDB + RADIUS authentication. IP Proxy Case with LUDB + RADIUS Authentication

    RADIUS provides: sub/sla-profile strings and a framed IPv4 route.

    LUDB provides IP addresses and related parameters (DNS server, IPv4 default-gateway, etc), inter-dest-id string for Vport assignment and msap-defaults (routing context parameters and msap-policy).

In cases 2-4, the domain-name domain1 is appended to the IPoE and PPPoE username in LUDB, before RADIUS authentication takes place.

Configuration

The topology is shown in Topology.

Figure 1. Topology

There is a common part of the configuration that applies uniformly across all four examined scenarios. This common part is outlined below and will not be repeated again when we describe more specific cases. It is assumed that the more specific cases also contain this common part of the configuration.

Common Configuration Part

Access Ethernet Port with QinQ Encapsulation

The following output displays a configuration example.

configure 
    port 1/1/1
        ethernet 
            mode access
            encap-type dot1q
        exit
    exit
exit

Capture SAP

A capture SAP is used to dynamically detect the VLAN id(s) in incoming DHCP/PPPoE packets (triggering packets) and conditionally instantiate the managed (dynamic) SAP. LUDB must be configured under the capture SAP to authorize the user accessing the capture SAP. The LUDB may contain additional parameters needed to set up the subscriber, it can point the subscriber to the RADIUS server for additional parameters or it may contain a default subscriber-host entry without any configuration parameters.

In this case, the msap-defaults under the capture SAP is used to select the routing context where the msap is created. msap-defaults can be also configured in the LUDB or be supplied via RADIUS.

PPPoE policy and msap policy are used to define PPPoE and SAP level parameters. Because the (dynamic) SAP does not exist at the time when the initial DHCP/PPPoE packets are received, the PPPoE/SAP level parameters are taken from the PPPoE/msap policy under the capture SAP. For example, those parameters are used in the PPP PADx/LCP/Authentication setup phase, they define default subscriber host strings, maximum number of subscriber hosts per SAP, the anti-spoofing mode, etc.

The X in the LUDB name (ludb-X) has to be replaced by a number depending on the scenario.

configure
    service
        vpls 2 customer 1 create
            stp
                shutdown
            exit
            sap 1/1/1:* capture-sap create
                description "open DHCP model testing"
                trigger-packet dhcp dhcp6 pppoe
                dhcp-user-db "ludb-X"
                dhcp6-user-db "ludb-X"
                pppoe-policy "pppoe-pol-1"
                pppoe-user-db "ludb-X"
                msap-defaults
                    group-interface "grp-int-1"
                    policy "msap-pol-1"    
                    service 1
                exit
            exit
            no shutdown
        exit
    exit
exit

auto-sub-id

The auto-sub-id-key command can be used in situations where the more specific subscriber-id string is not returned from LUDB or RADIUS. In this case, the auto subscriber-id for IPoE hosts is set to the circuit-id while for PPPoE hosts the auto subscriber-id is set to the circuit-id plus session-id separated by the ‟|” delimiter which is inserted by default.

configure
    subscriber-mgmt
        auto-sub-id-key
            ipoe-sub-id-key circuit-id   
            ppp-sub-id-key circuit-id session-id   
        exit
    exit
exit 

PPPoE Policy

There is a maximum of PPPoE sessions per MAC on a managed SAP. The default is 1 but is increased here to 10.

configure
    subscriber-mgmt
        ppp-policy "pppoe-pol-1" create
            ppp-mtu 1400
            max-sessions-per-mac  10  
        exit
    exit
exit

MSAP Policy

The MSAP policy defines the anti-spoofing mode which is in this particular example set to next-hop MAC (nh-mac). It also defines the default subscriber management parameters in case they are not supplied via LUDB or RADIUS.

configure
    subscriber-mgmt
        msap-policy "msap-pol-1" create
            sub-sla-mgmt
                def-sub-id use-auto-id
                def-sub-profile "sub-profile-1"
                def-sla-profile "sla-profile-1"
                sub-ident-policy "sub-ident-1"
                multi-sub-sap limit 500
            exit
            ies-vprn-only-sap-parameters
                anti-spoof nh-mac
            exit
        exit
    exit
exit

subscriber-interface Configuration

The following output displays a subscriber interface configuration.

configure
    service
        vprn 1 customer 1 create
            subscriber-interface "sub-int-1" create
                # support for un-numbered IPv4 clients
                allow-unmatching-subnets
                # default gateway for IPv4 numbered clients
                address 10.12.0.1/24
                ipv6
                    # fixed delegated prefix length for IA-PD
                    delegated-prefix-len 56
                    # support for un-numbered IPv6 clients
                    allow-unmatching-prefixes
                exit
                group-interface "grp-int-1" create
                    ipv6
                        router-advertisements
                            # hint to the client to use DHCPv6
                            managed-configuration
                            # enabling router-advertisements
                            no shutdown
                        exit
                        dhcp6
                            # must be the same as under the capture-SAP
                            user-db "ludb-1"
                        exit
                    exit
                    # ARP table is populated based on the lease state table
                    arp-populate
                    dhcp
                        server 10.10.1.1
                        # accept DHCP packets on this group interface
                        trusted
                        # max number of DHCPv4 clients on each
                        # SAP of this group-interface
                        lease-populate 100
                        # must be the same as under the capture-SAP
                        user-db "ludb-1"
                        no shutdown
                    exit
                    pppoe
                        policy "pppoe-pol-1"
                        session-limit 1000
                        sap-session-limit 1000
                        # must be the same as under the capture-SAP
                        user-db "ludb-1"
                        no shutdown
                    exit
                exit
            exit
            no shutdown
        exit
    exit
exit

For numbered/unnumbered subscriber-hosts also take a look at the DHCP/PPPoE clients whose assigned IP address is outside of any IP subnet/prefix configured under the subscriber-interface.

Specific Configuration Parts

DHCP Relay Case with No Authentication

The IP address is assigned via local DHCP server. The LUDB is accessed even in the scenario without authentication. There must be a default host LUDB entry present that will match on any value specified in the match-list criteria. The LUDB is accessed from the capture SAP (part of the common configuration).

configure
    subscriber-mgmt
        local-user-db "ludb-1" create
            description "for CASE-1"
            ipoe
                # host matching is based on circuit-ID in DHCP packets
                match-list circuit-id 
                host "default" create
                    no shutdown
                exit
            exit
            ppp
                # host matching is base on PPPoE username
                match-list username 
                host "default" create
                    # explicitly enable IPCPv6
                    force-ipv6cp
                    no shutdown
                exit
            exit
            no shutdown
        exit
    exit
exit

Once the routing context (service id and group-interface) is determined as defined under the capture SAP defaults (part of the common configuration), the DHCP/PPPoE requests are served according to the group-interface configuration. The IP address request is relayed to the DHCPv4/v6 server. Since the LUDB does not provide a pool name, the gi-address and the link-address is used by the DHCP relay/server to select the pool from which the IP address will be assigned.

configure
    service
        vprn 1 customer 1 create
            subscriber-interface "sub-int-1" create
                group-interface "grp-int-1" create
                    ipv6
                        dhcp6
                            # DHCPv6 relay configuration
                            relay
                                link-address 2001:DB8:30::
                                # DHCPv6 server IPv6 address
                                server 2001:DB8::1
                                client-applications dhcp ppp
                                no shutdown
                            exit
                        exit
                    exit
                    arp-populate
                    dhcp
                        # DHCPv4 server IP address
                        server 10.10.1.1
                        client-applications dhcp ppp
                        gi-address 10.12.0.1
                        no shutdown
                    exit
                exit
            exit
            no shutdown
        exit
    exit
exit

DHCPv4/v6 servers are locally configured in the node and attached to a loopback interface.

configure
    service
        vprn 1 customer 1 create
            interface "int-DHCP" create
                # IPv4 address which the DHCPv4 is listening on
                address 10.10.1.1/24
                ipv6
                    # IPv6 address which the DHCPv6 server is listening on
                    address 2001:DB8::1/128 
                    local-dhcp-server "svc-1-dhcp6"
                exit
                # attaching the DHCPv4 server to the loopback interface
                local-dhcp-server "svc-1-dhcp4"
                loopback
            exit
        exit
    exit
exit

In the local DHCP servers two pools are defined:

  • LUDB — To be used for IP address assignment when LUDB returns the pool name.

  • Gi-addr — To be used when gi-address/link-address are used to select the pool for IP address assignment.

Lease times for IPv4 and IPv6 are configured in the local DHCP server which is used only in the relay case (when the IP address is supplied via DHCP server and not through RADIUS or the LUDB).

configure
    service
        vprn 1 customer 1 create
            dhcp
                local-dhcp-server "svc-1-dhcp4" create
                    # the gi-address can be used to select the pool
                    use-gi-address 
                    # the pool name can be explicitly provided
                    use-pool-from-client
                    # the pool used when the LUDB provides the pool name
                    pool "ludb" create
                        options
                            dns-server 172.16.16.16 172.16.16.17
                            # DHCPv4 lease time
                            lease-time hrs 1
                        exit
                        subnet 10.10.0.0/24 create
                            options
                                subnet-mask 255.255.255.0
                                default-router 10.10.0.1
                            exit
                            address-range 10.10.0.100 10.10.0.200 
                        exit
                    exit
                    # pool selected based on the gi-address
                    pool "gi-addr" create
                        options
                            dns-server 172.16.16.16 172.16.16.17
                            # DHCPv4 lease time
                            lease-time hrs 1
                        exit
                        subnet 10.12.0.0/24 create
                            options
                                subnet-mask 255.255.255.0
                                default-router 10.12.0.1
                            exit
                            address-range 10.12.0.100 10.12.0.200 
                        exit
                    exit
                    no shutdown
                exit                  
            exit
            dhcp6
                local-dhcp-server "svc-1-dhcp6" create
                    use-link-address 
                    use-pool-from-client
                    pool "ludb" create
                        prefix 2001:DB8:10::/48 pd wan-host create
                            preferred-lifetime min 30 
                            rebind-timer min 20 
                            renew-timer min 15 
                            # DHCPv6 lease time
                            valid-lifetime hrs 1 
                            options
                                dns-server 2001:DB8::1000 2001:DB8::1001
                            exit
                        exit
                    exit
                    pool "gi-addr" create
                        prefix 2001:DB8:30::/48 pd wan-host create
                            preferred-lifetime min 30 
                            rebind-timer min 20 
                            renew-timer min 15 
                            # DHCPv6 lease time
                            valid-lifetime hrs 1 
                            options
                                dns-server 2001:DB8::1000 2001:DB8::1001
                            exit
                        exit
                    exit
                    no shutdown
                exit
            exit
        exit
    exit
exit

Default sub/sla-profiles, from the msap-policy, are used (part of the common configuration).

configure
    subscriber-mgmt
        sla-profile "sla-profile-1" create
            description "default SLA profile"
            host-limits
                overall 3
            exit
        exit
        sub-profile "sub-profile-1" create
            description "default SUB profile"
            egress
                agg-rate-limit 1000 
            exit
        exit
    exit
exit
Show Commands

The following command shows that the default sub/sla-profiles are in use, that the IP addresses are selected from the gi-addr pool in local DHCP server and that the subscriber-id is set to circuit-id for the IPoE subscriber-host and to username|session-id combination for the PPPoE subscriber-host.

*A:BNG-1# show service active-subscribers
 
===============================================================================
Active Subscribers
===============================================================================
-------------------------------------------------------------------------------
Subscriber open-dhcp-1 (sub-profile-1)
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
(1) SLA Profile Instance sap:[1/1/1:11] - sla:sla-profile-1
-------------------------------------------------------------------------------
IP Address
                MAC Address          Session        Origin       Svc        Fwd
-------------------------------------------------------------------------------
10.12.0.107
                00:0c:29:00:00:11    N/A            DHCP         1          Y
2001:db8:30:103::1/128
                00:0c:29:00:00:11    N/A            DHCP6        1          Y
2001:db8:30:400::/56
                00:0c:29:00:00:11    N/A            DHCP6        1          Y
-------------------------------------------------------------------------------
 
-------------------------------------------------------------------------------
Subscriber open-pppoe-1|1 (sub-profile-1)
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
(1) SLA Profile Instance sap:[1/1/1:21] - sla:sla-profile-1
-------------------------------------------------------------------------------
IP Address
                MAC Address          Session        Origin       Svc        Fwd
-------------------------------------------------------------------------------
10.12.0.108
                00:0c:29:00:00:21    PPP 1          IPCP         1          Y
2001:db8:30:104::1/128
                00:0c:29:00:00:21    PPP 1          DHCP6        1          Y
2001:db8:30:500::/56
                00:0c:29:00:00:21    PPP 1          DHCP6-PD     1          Y
-------------------------------------------------------------------------------
 
-------------------------------------------------------------------------------
Number of active subscribers : 2
===============================================================================
*A:BNG-1#

The following command shows more details about the subscriber-host, such as the group-interface, address origin, acct-session-id, etc. Even though there are only two dual-stack hosts (one IPoE and one PPPoE), each of them has three IP addresses that show up as different hosts.

For the purpose of brevity, the output for only two IP hosts are shown, one with an IPv4 address and one with an IPv6 address. The remaining IP addresses/prefixes are not shown because the output follows the same logic.

*A:BNG-1# show service id 1 subscriber-hosts detail
 
=============================================================
Subscriber Host table
=============================================================
Sap                    Subscriber
  IP Address
    MAC Address          PPPoE-SID Origin       Fwding State
-------------------------------------------------------------
[1/1/1:11]             open-dhcp-1
  10.12.0.107
    00:0c:29:00:00:11    N/A       DHCP         Fwding
-------------------------------------------------------------
Subscriber-interface  : sub-int-1
Group-interface       : grp-int-1
Sub Profile           : sub-profile-1
SLA Profile           : sla-profile-1
App Profile           : N/A
Egress Q-Group        : N/A
Egress Vport          : N/A
Acct-Session-Id       : 14F2FF00000026591168E2
Acct-Q-Inst-Session-Id: 14F2FF00000027591168E2
Address Origin        : Dynamic
OT HTTP Rdr IP-FltrId : N/A
OT HTTP Rdr Status    : N/A
OT HTTP Rdr Fltr Src  : N/A
HTTP Rdr URL Override : N/A
GTP local break-out   : No
DIAMETER session ID Gx: N/A
-------------------------------------------------------------
[1/1/1:11]             open-dhcp-1
  2001:db8:30:103::1/128
    00:0c:29:00:00:11    N/A       IPoE-DHCP6   Fwding
-------------------------------------------------------------
 
---snip---
  
-------------------------------------------------------------
[1/1/1:11]             open-dhcp-1
  2001:db8:30:400::/56
    00:0c:29:00:00:11    N/A       IPoE-DHCP6   Fwding
-------------------------------------------------------------
 
---snip---
  
-------------------------------------------------------------
[1/1/1:21]             open-pppoe-1|1
  10.12.0.108
    00:0c:29:00:00:21    1         IPCP         Fwding
-------------------------------------------------------------
 
---snip---
  
-------------------------------------------------------------
[1/1/1:21]             open-pppoe-1|1
  2001:db8:30:104::1/128
    00:0c:29:00:00:21    1         PPP-DHCP6    Fwding
-------------------------------------------------------------
 
---snip---
  
-------------------------------------------------------------
[1/1/1:21]             open-pppoe-1|1
  2001:db8:30:500::/56
    00:0c:29:00:00:21    1         PPP-DHCP6    Fwding
-------------------------------------------------------------
Subscriber-interface  : sub-int-1
Group-interface       : grp-int-1
Sub Profile           : sub-profile-1
SLA Profile           : sla-profile-1
App Profile           : N/A
Egress Q-Group        : N/A
Egress Vport          : N/A
Acct-Session-Id       : 14F2FF0000002E5911690E
Acct-Q-Inst-Session-Id: 14F2FF0000002C5911690E
Address Origin        : Dynamic
OT HTTP Rdr IP-FltrId : N/A
OT HTTP Rdr Status    : N/A
OT HTTP Rdr Fltr Src  : N/A
HTTP Rdr URL Override : N/A
GTP local break-out   : No
DIAMETER session ID Gx: N/A
-------------------------------------------------------------
Number of subscriber hosts : 6
=============================================================
*A:BNG-1#

The following command shows that there are no sub/sla-profile strings assigned to the subscriber. Instead the default sub/sla-profiles from the msap-policy are used.

The IP address is assigned by the DHCP server which also supplied the def-gw information, DNS servers, the net-mask and the lease time.

The circuit-id and the subscriber-id are set to the same value.

*A:BNG-1# show service id 1 dhcp lease-state detail
 
===============================================================================
DHCP lease states for service 1
===============================================================================
Service ID           : 1
IP Address           : 10.12.0.107
Client HW Address    : 00:0c:29:00:00:11
Subscriber-interface : sub-int-1
Group-interface      : grp-int-1
SAP                  : [1/1/1:11]
Termination Type     : local
Up Time              : 0d 00:02:11
Remaining Lease Time : 0d 00:57:49
Remaining SessionTime: N/A
Persistence Key      : N/A
 
Sub-Ident            : "open-dhcp-1"
Sub-Profile-String   : ""
SLA-Profile-String   : ""
App-Profile-String   : ""
Lease ANCP-String    : ""
Lease Int Dest Id    : ""
Category-Map-Name    : ""
 
Lease Info origin    : DHCP
 
Ip-Netmask           : 255.255.255.0
Broadcast-Ip-Addr    : N/A
Default-Router       : 10.12.0.1
Primary-Dns          : 172.16.16.16
Secondary-Dns        : 172.16.16.17
Primary-Nbns         : N/A
Secondary-Nbns       : N/A
 
ServerLeaseStart     : 05/09/2017 08:59:46
ServerLastRenew      : 05/09/2017 08:59:46
ServerLeaseEnd       : 05/09/2017 09:59:46
Session-Timeout      : N/A
IPoE|PPP session     : No
Lease-Time           : 0d 01:00:00
DHCP Server Addr     : 10.10.1.1
 
Relay Agent Information
  Circuit Id         : open-dhcp-1
Radius User-Name     : ""
-------------------------------------------------------------------------------
Number of lease states : 1
===============================================================================
*A:BNG-1#

Then there is a similar command used for DHCPv6 lease-state details.

For the purpose of brevity, the output for only two IPv6 leases is shown. The remaining two IPv6 leases are not shown because the output follows the same logic.

*A:BNG-1# show service id 1 dhcp6 lease-state detail
 
===============================================================================
DHCP lease states for service 1
===============================================================================
Service ID           : 1
IP Address           : 2001:db8:30:103::1/128
Client HW Address    : 00:0c:29:00:00:11
Subscriber-interface : sub-int-1
Group-interface      : grp-int-1
SAP                  : [1/1/1:11]
Termination Type     : local
Up Time              : 0d 00:02:34
Remaining Lease Time : 0d 00:57:26
Remaining SessionTime: N/A
Persistence Key      : N/A
 
Sub-Ident            : "open-dhcp-1"
Sub-Profile-String   : ""
SLA-Profile-String   : ""
App-Profile-String   : ""
Lease ANCP-String    : ""
Lease Int Dest Id    : ""
Category-Map-Name    : ""
Dhcp6 ClientId (DUID): 0001000120a31b12000c29000011
Dhcp6 IAID           : 2
Dhcp6 IAID Type      : non-temporary
Dhcp6 Client Ip      : fe80::20c:29ff:fe00:11
Primary-Dns          : N/A
Secondary-Dns        : N/A
Pool Name            : ""
Dhcp6 Server Addr    : 2001:db8::1
Dhcp6 ServerId (DUID): 0003000114f2ff000000
Dhcp6 InterfaceId    : open-dhcp-1
Dhcp6 RemoteId       : N/A
Radius sub-if prefix : N/A
Router adv. policy   : N/A
 
Lease Info origin    : DHCP
 
ServerLeaseStart     : 05/09/2017 09:00:00
ServerLastRenew      : 05/09/2017 09:00:00
ServerLeaseEnd       : 05/09/2017 10:00:00
Session-Timeout      : N/A
IPoE|PPP session     : No
Radius User-Name     : ""
-------------------------------------------------------------------------------
Service ID           : 1
IP Address           : 2001:db8:30:104::1/128
Client HW Address    : 00:0c:29:00:00:21
  
---snip---
  
-------------------------------------------------------------------------------
Service ID           : 1
IP Address           : 2001:db8:30:400::/56
Client HW Address    : 00:0c:29:00:00:11

---snip---

-------------------------------------------------------------------------------
Service ID           : 1
IP Address           : 2001:db8:30:500::/56
Client HW Address    : 00:0c:29:00:00:21
Subscriber-interface : sub-int-1
Group-interface      : grp-int-1
SAP                  : [1/1/1:21]
Termination Type     : local
Up Time              : 0d 00:02:06
Remaining Lease Time : 0d 00:57:54
Remaining SessionTime: N/A
Persistence Key      : N/A
 
Sub-Ident            : "open-pppoe-1|1"
Sub-Profile-String   : ""
SLA-Profile-String   : ""
App-Profile-String   : ""
Lease ANCP-String    : ""
Lease Int Dest Id    : ""
Category-Map-Name    : ""
Dhcp6 ClientId (DUID): 0001000120a33d28000c29000021
Dhcp6 IAID           : 1
Dhcp6 IAID Type      : prefix
Dhcp6 Client Ip      : fe80::20c:29ff:fe00:21
Primary-Dns          : N/A
Secondary-Dns        : N/A
Pool Name            : ""
Dhcp6 Server Addr    : 2001:db8::1
Dhcp6 ServerId (DUID): 0003000114f2ff000000
Dhcp6 InterfaceId    : open-pppoe-1
Dhcp6 RemoteId       : N/A
Radius sub-if prefix : N/A
Router adv. policy   : N/A
 
Lease Info origin    : DHCP
 
ServerLeaseStart     : 05/09/2017 09:00:30
ServerLastRenew      : 05/09/2017 09:00:30
ServerLeaseEnd       : 05/09/2017 10:00:30
Session-Timeout      : N/A
IPoE|PPP session     : PPP
Radius User-Name     : "open-pppoe-1"
-------------------------------------------------------------------------------
Number of lease states : 4
===============================================================================
*A:BNG-1#
DHCP Relay Case with LUDB + RADIUS Authentication

IP address is assigned via local DHCP server.

  • RADIUS provides sub/sla-profile strings and a framed IPv4 route.

  • LUDB provides IP address pool, inter-dest-id string for Vport assignment, msap-defaults (routing context parameters and msap-policy).

Vport aggregate rate limit and the port scheduler are now added to the physical port. The Vport is associated with the subscriber through the inter-dest-id string obtained via LUDB.

configure
    port 1/1/1
        ethernet
            mode access
            encap-type dot1q
            egress-scheduler-policy "port"
            access
                egress
                    vport "open-dhcp" create
                        agg-rate
                            rate 500
                        exit
                        host-match dest "open-auth-vport" create
                    exit
                exit
            exit
        exit
        no shutdown
    exit
exit

The LUDB is used to assign the IP pool name (pool-name = ludb) and the inter-dest-id string (inter-dest-id = open-auth-vport) to the subscriber. The pool name is carried to the DHCP server via custom DHCP options [(82,9,13) in DHCPv4 and (17,1->wan_pool and 2->pfx_pool) in DHCPv6].

The domain name domain1 is appended to the username (circuit-id = open-dhcp-2 or username = open-pppoe-2) before an Access-Request message is sent to the RADIUS server which is configured in the authentication policy auth-pol-1.

The inter-dest-id string taken from the LUDB is passed to the subscriber management module in the node via DHCP option 254 in DHCP ACK/Reply.

configure
    subscriber-mgmt
        local-user-db "ludb-2" create
            description "for CASE-2"
            ipoe
                match-list circuit-id
                host "open-dhcp-2" create
                    host-identification
                        circuit-id string "open-dhcp-2"
                    exit
                    address pool "ludb"
                    auth-policy "auth-pol-1"
                    auth-domain-name "domain1"
                    identification-strings 254 create
                        inter-dest-id "open-auth-vport"
                    exit
                    msap-defaults
                        group-interface "grp-int-1"
                        policy "msap-pol-1"
                        service 1
                    exit
                    ipv6-wan-address-pool "ludb"
                    ipv6-delegated-prefix-pool "ludb"
                    no shutdown
                exit
            exit
            ppp
                match-list circuit-id mac username
                host "open-ppp-2" create
                    host-identification
                        username "open-pppoe-2"
                    exit
                    auth-policy "auth-pol-1"
                    address pool "ludb"
                    password chap "letmein"
                    identification-strings 254 create
                        inter-dest-id "open-auth-vport"
                    exit
                    msap-defaults
                        group-interface "grp-int-1"
                        policy "msap-pol-1"
                        service 1
                    exit
                    ipv6-delegated-prefix-pool "ludb"
                    ipv6-wan-address-pool "ludb"
                    no shutdown
                exit
            exit
            no shutdown
        exit
    exit
exit

The inter-dest-id string taken from the LUDB is passed to the subscriber management module in the node via DHCPv4/v6 option 254 that is specified in the subscriber identification policy.

configure
    subscriber-mgmt
        sub-ident-policy "sub-ident-1" create
            strings-from-option 254
        exit
    exit
exit

The RADIUS server is defined via the authentication policy. The domain name can be appended to the PPPoE subscriber host directly via the authentication-policy while for IPoE subscribers, the domain name is appended via the authentication-policy in conjunction with the LUDB. This can be verified in the output (shown later) of the show service id 1 dhcp lease-state detail and show service id 1 dhcp6 lease-state detail commands (on the ‟radius user-name” line).

configure
    subscriber-mgmt
        authentication-policy "auth-pol-1" create
            description "RADIUS authentication policy"
            password "letmein"
            ppp-user-name append "domain1"
            user-name-format circuit-id append
            accept-authorization-change
            pppoe-access-method pap-chap
            radius-server-policy "rad-serv-pol-1"
        exit
    exit
exit

The RADIUS user configuration file uses the domain-name extension, as inserted by the BNG, to authenticate the user:

open-dhcp-2@domain1   Cleartext-Password := "letmein"
            Alc-Subsc-Prof-Str = rad-sub,
            Alc-SLA-Prof-Str = rad-sla,
            Framed-Route = "192.168.1.0/24 0.0.0.0",
 
open-pppoe-2@domain1  Cleartext-Password := "letmein"
            Alc-Subsc-Prof-Str = rad-sub,
            Alc-SLA-Prof-Str = rad-sla,
            Framed-Route = "192.168.2.0/24 0.0.0.0",

DHCPv4/v6 servers are locally configured in the SR OS and attached to a loopback interface:

configure
    service
        vprn 1 customer 1 create
            interface "int-DHCP" create
                # IPv4 address which the DHCPv4 server is listening on 
                address 10.10.1.1/24
                ipv6
                    # IPv6 address which the DHCPv6 server is listening on 
                    address 2001:DB8::1/128 
                    # attach the DHCPv6 server to this loopback interface
                    local-dhcp-server "svc-1-dhcp6"
                exit
                # attach the DHCPv4 server to this loopback interface
                local-dhcp-server "svc-1-dhcp4"
                loopback
            exit
        exit
    exit
exit

Group-interface configuration. Note that common parts of the configuration as defined earlier, still apply:

configure
    service
        vprn 1 customer 1 create
            subscriber-interface "sub-int-1" create
                group-interface "grp-int-1" create
                    ipv6
                        dhcp6
                            user-db "ludb-2"
                            # DHCPv6 relay configuration
                            relay
                                link-address 2001:DB8:30::
                                server 2001:DB8::1
                                client-applications dhcp ppp
                                no shutdown
                            exit
                        exit
                    exit
                    arp-populate
                    # DHCPv6 relay configuration
                    dhcp
                        proxy-server
                            emulated-server 10.12.0.1
                            no shutdown
                        exit
                        option
                            # SR OS will not insert its own circuit-ID
                            no circuit-id
                            # SR OS will not insert its own remote-ID
                            no remote-id
                            vendor-specific-option
                                pool-name
                            exit
                        exit
                        server 10.10.1.1
                        client-applications dhcp ppp
                        user-db "ludb-2"
                        no shutdown
                    exit
                    pppoe
                        policy "pppoe-pol-1"
                        session-limit 1000
                        sap-session-limit 1000
                        user-db "ludb-2"
                        no shutdown
                    exit 
                exit
            exit
            no shutdown
        exit
    exit
exit

Lease times for IPv4 and IPv6 are configured in the local DHCP server. Lease times under the local DHCP server are used only in the relay case (when IP address is supplied via DHCP server and not RADIUS or LUDB). In the proxy case, the lease times can be obtained via LUDB, RADIUS, or group-interface.

configure
    service
        vprn 1 customer 1 create
            dhcp
                local-dhcp-server "svc-1-dhcp4" create
                    # gi-address can be used to select the pool
                    use-gi-address 
                    # pool name can be explicitly provided
                    use-pool-from-client
                    # pool used when LUDB provides the pool name
                    pool "ludb" create
                        options
                            dns-server 172.16.16.16 172.16.16.17
                            lease-time hrs 1
                        exit
                        subnet 10.10.0.0/24 create
                            options
                                subnet-mask 255.255.255.0
                                default-router 10.10.0.1
                            exit
                            address-range 10.10.0.100 10.10.0.200 
                        exit
                    exit
                    # pool selected based on the gi-address
                    pool "gi-addr" create
                        options
                            dns-server 172.16.16.16 172.16.16.17
                            lease-time hrs 1
                        exit
                        subnet 10.12.0.0/24 create
                            options
                                subnet-mask 255.255.255.0
                                default-router 10.12.0.1
                            exit
                            address-range 10.12.0.100 10.12.0.200 
                        exit
                    exit
                    no shutdown
                exit                  
            exit
            dhcp6
                local-dhcp-server "svc-1-dhcp6" create
                    use-link-address 
                    use-pool-from-client
                    pool "ludb" create
                        prefix 2001:DB8:10::/48 pd wan-host create
                            preferred-lifetime min 30 
                            rebind-timer min 20 
                            renew-timer min 15
                            valid-lifetime hrs 1 
                            options
                                dns-server 2001:DB8::1000 2001:DB8::1001
                            exit
                        exit
                    exit
                    pool "gi-addr" create
                        prefix 2001:DB8:30::/48 pd wan-host create
                            preferred-lifetime min 30 
                            rebind-timer min 20 
                            renew-timer min 15 
                            valid-lifetime hrs 1 
                            options
                                dns-server 2001:DB8::1000 2001:DB8::1001
                            exit
                        exit
                    exit
                    no shutdown
                exit
            exit
        exit
    exit
exit

RADIUS sub/sla-profiles supplied via RADIUS are used:

configure
    subscriber-mgmt
        sla-profile "rad-sla" create
            description "sla-profile obtained from RADIUS"
            host-limits
                overall 100
            exit
            egress
                qos 1 vport-scheduler
                exit
                ip-filter 1
            exit
        exit
        sub-profile "rad-sub" create
            description "sub-profile obtained from RADIUS"
            egress
                agg-rate-limit 15000 
            exit
        exit
    exit
exit
Show Commands

The following command shows that the rad-sub/sla-profiles, as supplied via RADIUS, are in use.

The IP addresses are selected from the pool-name LUDB in the local DHCP server. The subscriber-id is circuit-id for IPoE subscriber-host and the username|session-id combination for PPPoE subscriber host.

*A:BNG-1# show service active-subscribers
 
===============================================================================
Active Subscribers
===============================================================================
-------------------------------------------------------------------------------
Subscriber open-dhcp-2 (rad-sub)
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
(1) SLA Profile Instance sap:[1/1/1:12] - sla:rad-sla
-------------------------------------------------------------------------------
IP Address
                MAC Address          Session        Origin       Svc        Fwd
-------------------------------------------------------------------------------
10.10.0.102
                00:0c:29:00:00:12    N/A            DHCP         1          Y
2001:db8:10:101::1/128
                00:0c:29:00:00:12    N/A            DHCP6        1          Y
2001:db8:10:200::/56
                00:0c:29:00:00:12    N/A            DHCP6        1          Y
-------------------------------------------------------------------------------
 
-------------------------------------------------------------------------------
Subscriber open-pppoe-2|1 (rad-sub)
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
(1) SLA Profile Instance sap:[1/1/1:22] - sla:rad-sla
-------------------------------------------------------------------------------
IP Address
                MAC Address          Session        Origin       Svc        Fwd
-------------------------------------------------------------------------------
10.10.0.103
                00:0c:29:00:00:22    PPP 1          IPCP         1          Y
2001:db8:10:102::1/128
                00:0c:29:00:00:22    PPP 1          DHCP6        1          Y
2001:db8:10:300::/56
                00:0c:29:00:00:22    PPP 1          DHCP6-PD     1          Y
-------------------------------------------------------------------------------
 
-------------------------------------------------------------------------------
Number of active subscribers : 2
===============================================================================
*A:BNG-1#

The following command shows more details about the subscriber-host, such as the group-interface, vport, address origin, acct-session-id, etc. Vport is selected based on the inter-dest-id string supplied via the LUDB.

For the purpose of brevity, the output for only two IP addresses hosts is shown, one with an IPv4 address and one with an IPv6 address. The remaining IP addresses/prefixes are not shown because the output follows the same logic.

*A:BNG-1# show service id 1 subscriber-hosts detail
=============================================================
Subscriber Host table
=============================================================
Sap                    Subscriber
  IP Address
    MAC Address          PPPoE-SID Origin       Fwding State
-------------------------------------------------------------
[1/1/1:12]             open-dhcp-2
  10.10.0.102
    00:0c:29:00:00:12    N/A       DHCP         Fwding
-------------------------------------------------------------
Subscriber-interface  : sub-int-1
Group-interface       : grp-int-1
Sub Profile           : rad-sub
SLA Profile           : rad-sla
App Profile           : N/A
Egress Q-Group        : N/A
Egress Vport          : open-dhcp
Acct-Session-Id       : 14F2FF0000002F59116C4A
Acct-Q-Inst-Session-Id: 14F2FF0000003059116C4A
Address Origin        : Dynamic
OT HTTP Rdr IP-FltrId : N/A
OT HTTP Rdr Status    : N/A
OT HTTP Rdr Fltr Src  : N/A
HTTP Rdr URL Override : N/A
GTP local break-out   : No
DIAMETER session ID Gx: N/A
-------------------------------------------------------------
[1/1/1:12]             open-dhcp-2
  2001:db8:10:101::1/128
    00:0c:29:00:00:12    N/A       IPoE-DHCP6   Fwding
-------------------------------------------------------------
 
---snip---
 
-------------------------------------------------------------
[1/1/1:12]             open-dhcp-2
  2001:db8:10:200::/56
    00:0c:29:00:00:12    N/A       IPoE-DHCP6   Fwding
-------------------------------------------------------------
 
---snip---
 
-------------------------------------------------------------
[1/1/1:22]             open-pppoe-2|1
  10.10.0.103
    00:0c:29:00:00:22    1         IPCP         Fwding
-------------------------------------------------------------
 
---snip---
 
-------------------------------------------------------------
[1/1/1:22]             open-pppoe-2|1
  2001:db8:10:102::1/128
    00:0c:29:00:00:22    1         PPP-DHCP6    Fwding
-------------------------------------------------------------
 
---snip---
 
-------------------------------------------------------------
[1/1/1:22]             open-pppoe-2|1
  2001:db8:10:300::/56
    00:0c:29:00:00:22    1         PPP-DHCP6    Fwding
-------------------------------------------------------------
Subscriber-interface  : sub-int-1
Group-interface       : grp-int-1
Sub Profile           : rad-sub
SLA Profile           : rad-sla
App Profile           : N/A
Egress Q-Group        : N/A
Egress Vport          : open-dhcp
Acct-Session-Id       : 14F2FF0000003759116C68
Acct-Q-Inst-Session-Id: 14F2FF0000003559116C68
Address Origin        : Dynamic
OT HTTP Rdr IP-FltrId : N/A
OT HTTP Rdr Status    : N/A
OT HTTP Rdr Fltr Src  : N/A
HTTP Rdr URL Override : N/A
GTP local break-out   : No
DIAMETER session ID Gx: N/A
-------------------------------------------------------------
Number of subscriber hosts : 6
=============================================================
*A:BNG-1#

The following command shows that the subscriber identity is set to circuit-id (plus session-id) as instructed by auto-sub-id-key command (subscriber-id string is not returned via the LUDB or RADIUS). The lease times are set to 1h as defined in the DHCP server. The username passed to RADIUS is a circuit-id or a username appended with the domain1 domain name.

*A:BNG-1# show service id 1 dhcp lease-state detail
 
===============================================================================
DHCP lease states for service 1
===============================================================================
Service ID           : 1
IP Address           : 10.10.0.102
Client HW Address    : 00:0c:29:00:00:12
Subscriber-interface : sub-int-1
Group-interface      : grp-int-1
SAP                  : [1/1/1:12]
Termination Type     : local
Up Time              : 0d 00:01:36
Remaining Lease Time : 0d 00:58:25
Remaining SessionTime: N/A
Persistence Key      : N/A
 
Sub-Ident            : "open-dhcp-2"
Sub-Profile-String   : "rad-sub"
SLA-Profile-String   : "rad-sla"
App-Profile-String   : ""
Lease ANCP-String    : ""
Lease Int Dest Id    : "open-auth-vport"
Category-Map-Name    : ""
 
Lease Info origin    : DHCP
 
Ip-Netmask           : 255.255.255.0
Broadcast-Ip-Addr    : N/A
Default-Router       : 10.10.0.1
Primary-Dns          : 172.16.16.16
Secondary-Dns        : 172.16.16.17
Primary-Nbns         : N/A
Secondary-Nbns       : N/A
 
ServerLeaseStart     : 05/09/2017 09:14:18
ServerLastRenew      : 05/09/2017 09:14:18
ServerLeaseEnd       : 05/09/2017 10:14:18
Session-Timeout      : N/A
IPoE|PPP session     : No
Lease-Time           : 0d 01:00:00
DHCP Server Addr     : 10.10.1.1
 
Relay Agent Information
  Circuit Id         : open-dhcp-2
Radius User-Name     : "open-dhcp-2@domain1"
 
-------------------------------------------------------------------------------
Managed Routes
-------------------------------------------------------------------------------
IP Address                                  Status       Metric Tag        Pref
-------------------------------------------------------------------------------
192.168.1.0/24                              installed    0      none       0
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Number of lease states : 1
===============================================================================
*A:BNG-1#

For the purpose of brevity the output for only two IPv6 leases is shown. The remaining two IPv6 leases are not shown because the output follows the same logic.

*A:BNG-1# show service id 1 dhcp6 lease-state detail
 
===============================================================================
DHCP lease states for service 1
===============================================================================
Service ID           : 1
IP Address           : 2001:db8:10:101::1/128
Client HW Address    : 00:0c:29:00:00:12
Subscriber-interface : sub-int-1
Group-interface      : grp-int-1
SAP                  : [1/1/1:12]
Termination Type     : local
Up Time              : 0d 00:01:59
Remaining Lease Time : 0d 00:58:02
Remaining SessionTime: N/A
Persistence Key      : N/A
 
Sub-Ident            : "open-dhcp-2"
Sub-Profile-String   : "rad-sub"
SLA-Profile-String   : "rad-sla"
App-Profile-String   : ""
Lease ANCP-String    : ""
Lease Int Dest Id    : "open-auth-vport"
Category-Map-Name    : ""
Dhcp6 ClientId (DUID): 0001000120a33b22000c29000012
Dhcp6 IAID           : 2
Dhcp6 IAID Type      : non-temporary
Dhcp6 Client Ip      : fe80::20c:29ff:fe00:12
Primary-Dns          : N/A
Secondary-Dns        : N/A
Pool Name            : "ludb"
Dhcp6 Server Addr    : 2001:db8::1
Dhcp6 ServerId (DUID): 0003000114f2ff000000
Dhcp6 InterfaceId    : open-dhcp-2
Dhcp6 RemoteId       : N/A
Radius sub-if prefix : N/A
Router adv. policy   : N/A
 
Lease Info origin    : DHCP
 
ServerLeaseStart     : 05/09/2017 09:14:27
ServerLastRenew      : 05/09/2017 09:14:27
ServerLeaseEnd       : 05/09/2017 10:14:27
Session-Timeout      : N/A
IPoE|PPP session     : No
Radius User-Name     : "open-dhcp-2@domain1"
-------------------------------------------------------------------------------
Service ID           : 1
IP Address           : 2001:db8:10:102::1/128
Client HW Address    : 00:0c:29:00:00:22
  
---snip---
  
-------------------------------------------------------------------------------
Service ID           : 1
IP Address           : 2001:db8:10:200::/56
Client HW Address    : 00:0c:29:00:00:12
  
---snip---
  
-------------------------------------------------------------------------------
Service ID           : 1
IP Address           : 2001:db8:10:300::/56
Client HW Address    : 00:0c:29:00:00:22
Subscriber-interface : sub-int-1
Group-interface      : grp-int-1
SAP                  : [1/1/1:22]
Termination Type     : local
Up Time              : 0d 00:01:39
Remaining Lease Time : 0d 00:58:21
Remaining SessionTime: N/A
Persistence Key      : N/A
Sub-Ident            : "open-pppoe-2|1"
Sub-Profile-String   : "rad-sub"
SLA-Profile-String   : "rad-sla"
App-Profile-String   : ""
Lease ANCP-String    : ""
Lease Int Dest Id    : "open-auth-vport"
Category-Map-Name    : ""
Dhcp6 ClientId (DUID): 0001000120a3175e000c29000022
Dhcp6 IAID           : 1
Dhcp6 IAID Type      : prefix
Dhcp6 Client Ip      : fe80::20c:29ff:fe00:22
Primary-Dns          : N/A
Secondary-Dns        : N/A
Pool Name            : "ludb"
Dhcp6 Server Addr    : 2001:db8::1
Dhcp6 ServerId (DUID): 0003000114f2ff000000
Dhcp6 InterfaceId    : open-pppoe-2
Dhcp6 RemoteId       : N/A
Radius sub-if prefix : N/A
Router adv. policy   : N/A
 
Lease Info origin    : DHCP
 
ServerLeaseStart     : 05/09/2017 09:14:48
ServerLastRenew      : 05/09/2017 09:14:48
ServerLeaseEnd       : 05/09/2017 10:14:48
Session-Timeout      : N/A
IPoE|PPP session     : PPP
Radius User-Name     : "open-pppoe-2@domain1"
-------------------------------------------------------------------------------
Number of lease states : 4
===============================================================================
*A:BNG-1#
IP Proxy Case with LUDB + RADIUS Authentication

IP address is assigned via RADIUS.

  • RADIUS provides IP addresses (IPv6 lease-times are provided under the group-interface) and related parameters (DNS server, IPv4 default-gateway, etc), inter-dest-id string for Vport assignment and a framed route.

  • LUDB provides sub/sla-profile strings and msap-defaults (routing context parameters and msap-policy).

Vport aggregate rate limit and the port scheduler are now added to the physical port. The Vport is associated with the subscriber through the inter-dest-id string obtained via the LUDB.

configure
    port 1/1/1
        ethernet
            mode access
            encap-type dot1q
            egress-scheduler-policy "port"
            access
                egress
                    vport "open-dhcp" create
                        agg-rate
                            rate 500
                        exit
                        host-match dest "open-auth-vport" create
                    exit
                exit
            exit
        exit
        no shutdown
    exit
exit

The LUDB is used to assign the sub/sla-profile strings.

The domain name domain1 is appended to the username (circuit-id = open-dhcp-3 or username = open-pppoe-3) before an Access-Request is sent to the RADIUS server that is configured in the authentication policy auth-pol-1.

configure
    subscriber-mgmt
        local-user-db "ludb-3" create
            description "for CASE-3"
            ipoe
                match-list circuit-id 
                host "open-dhcp-3" create
                    host-identification
                        circuit-id string "open-dhcp-3"
                    exit
                    auth-policy "auth-pol-1"
                    auth-domain-name "domain1"
                    identification-strings 254 create
                        sla-profile-string "ludb-sla"
                        sub-profile-string "ludb-sub"
                    exit
                    msap-defaults
                        group-interface "grp-int-1"
                        policy "msap-pol-1"
                        service 1
                    exit
                    no shutdown
                exit
            exit
            ppp
                match-list circuit-id mac username 
                host "open-ppp-3" create
                    host-identification
                        username "open-pppoe-3"
                    exit
                    auth-policy "auth-pol-1"
                    password chap "letmein"
                    identification-strings 254 create
                        sla-profile-string "ludb-sla"
                        sub-profile-string "ludb-sub"
                    exit
                    msap-defaults
                        group-interface "grp-int-1"
                        policy "msap-pol-1"
                        service 1
                    exit
                    no shutdown
                exit
            exit
            no shutdown
        exit
    exit
exit

RADIUS is defined via the authentication-policy. The domain name can be appended to the PPPoE subscriber host directly via authentication-policy, while for IPoE subscribers the domain name is appended via authentication-policy in conjunction with LUDB.

configure
    subscriber-mgmt
        authentication-policy "auth-pol-1" create
            description "RADIUS authentication policy"
            password "letmein"
            ppp-user-name append "domain1"
            user-name-format circuit-id append
            accept-authorization-change
            pppoe-access-method pap-chap
            radius-server-policy "rad-serv-pol-1"
        exit
    exit
exit

The RADIUS user configuration file uses the domain extension as inserted by the BNG node to authenticate the user. The inter-dest-id string and the host IP address are provided by the RADIUS server (proxy case) along with other IP addressing parameters.

The IPv4 lease time (30 minutes) for IPv4 addresses are provided by the RADIUS server, while the lease time (30 minutes) for IPv6 addresses/prefixes are configured under the group-interface.

open-dhcp-3@domain1   Cleartext-Password := "letmein"
            Alc-Int-Dest-Id-Str = open-auth-vport,
            Framed-IP-Address = 10.10.0.230,
            Framed-IP-Netmask = 255.255.255.0,
            Alc-Default-Router = 10.10.0.1,
            Alc-Lease-Time = 1800,
            Client-DNS-Pri = 172.16.20.20,
            Client-DNS-Sec = 172.16.20.21,
            Alc-IPv6-Address = 2001:db8::100,
            Delegated-IPv6-Prefix = 2001:DB8:40:100::/56,
            Alc-IPv6-Primary-Dns = 2001:DB8::2000,
            Alc-Ipv6-Secondary-Dns = 2001:DB8::2001,
            Framed-Route = "192.168.1.0/24 0.0.0.0",

open-pppoe-3@domain1  Cleartext-Password := "letmein"
            Alc-Int-Dest-Id-Str = open-auth-vport,
            Framed-IP-Address = 10.10.0.231,
            Framed-IP-Netmask = 255.255.255.255,
            Client-DNS-Pri = 172.16.20.20,
            Client-DNS-Sec = 172.16.20.21,
            Alc-IPv6-Address = 2001:db8:0:1::100,
            Delegated-IPv6-Prefix = 2001:DB8:40:200::/56,
            Alc-IPv6-Primary-Dns = 2001:DB8::2000,
            Alc-Ipv6-Secondary-Dns = 2001:DB8::2001,
            Framed-Route = "192.168.2.0/24 0.0.0.0",

The group-interface configuration is as follows. Note that common parts of the configuration as defined earlier still apply.

configure
    service
        vprn 1 customer 1 create
            subscriber-interface "sub-int-1" create
                group-interface "grp-int-1" create
                    ipv6
                        dhcp6
                            proxy-server
                                renew-timer min 7 
                                rebind-timer min 10 
                                valid-lifetime min 30 
                                preferred-lifetime min 15 
                                client-applications dhcp ppp
                                no shutdown
                            exit
                        exit
                    exit
                    dhcp
                        proxy-server
                            emulated-server 10.12.0.1
                            no shutdown
                        exit
                    exit
                exit
            exit
        exit
    exit
exit

RADIUS sub/sla-profiles supplied via the LUDB are used:

configure
    subscriber-mgmt
        sla-profile "ludb-sla" create
            description "sla-profile obtained via LUDB"
            host-limits
                overall 100
            exit
            egress
                qos 1 vport-scheduler
                exit
                ip-filter 1
            exit
        exit
        sub-profile "ludb-sub" create
            description "sub-profile obtained via LUDB"
            egress
                agg-rate-limit 15000
            exit
        exit
    exit
exit
Show Commands

The following command shows that the LUDB-sub/sla-profiles, as supplied via LUDB, are in use. The IP addresses are supplied via the RADIUS server. The subscriber-id is auto-generated (not returned via LUDB or RADIUS) and it is set to circuit-id for the IPoE subscriber-host, and to the username|session-id combination for PPPoE subscriber host.

*A:BNG-1# show service active-subscribers
 
===============================================================================
Active Subscribers
===============================================================================
-------------------------------------------------------------------------------
Subscriber open-dhcp-3 (ludb-sub)
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
(1) SLA Profile Instance sap:[1/1/1:13] - sla:ludb-sla
-------------------------------------------------------------------------------
IP Address
                MAC Address          Session        Origin       Svc        Fwd
-------------------------------------------------------------------------------
10.10.0.230
                00:0c:29:00:00:13    N/A            DHCP         1          Y
2001:db8::100/128
                00:0c:29:00:00:13    N/A            DHCP6        1          Y
2001:db8:40:100::/56
                00:0c:29:00:00:13    N/A            DHCP6        1          Y
-------------------------------------------------------------------------------
 
-------------------------------------------------------------------------------
Subscriber open-pppoe-3|1 (ludb-sub)
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
(1) SLA Profile Instance sap:[1/1/1:23] - sla:ludb-sla
-------------------------------------------------------------------------------
IP Address
                MAC Address          Session        Origin       Svc        Fwd
-------------------------------------------------------------------------------
10.10.0.231
                00:0c:29:00:00:23    PPP 1          IPCP         1          Y
2001:db8:0:1::100/128
                00:0c:29:00:00:23    PPP 1          DHCP6        1          Y
2001:db8:40:200::/56
                00:0c:29:00:00:23    PPP 1          DHCP6-PD     1          Y
-------------------------------------------------------------------------------
 
-------------------------------------------------------------------------------
Number of active subscribers : 2
===============================================================================
*A:BNG-1#

The following command shows more details about the subscriber-host, such as the group-interface, vport, address origin, acct-session-id, etc. Vport is selected based on the inter-dest-id string supplied via RADIUS.

For the purpose of brevity, the output for only two hosts is shown, one with IPv4 address and one with IPv6 prefix. The remaining IP addresses/prefixes are not shown because the output follows the same logic.

*A:BNG-1# show service id 1 subscriber-hosts detail
 
=============================================================
Subscriber Host table
=============================================================
Sap                    Subscriber
  IP Address
    MAC Address          PPPoE-SID Origin       Fwding State
-------------------------------------------------------------
[1/1/1:13]             open-dhcp-3
  10.10.0.230
    00:0c:29:00:00:13    N/A       DHCP         Fwding
-------------------------------------------------------------
Subscriber-interface  : sub-int-1
Group-interface       : grp-int-1
Sub Profile           : ludb-sub
SLA Profile           : ludb-sla
App Profile           : N/A
Egress Q-Group        : N/A
Egress Vport          : N/A
Acct-Session-Id       : 14F2FF0000003A59119C39
Acct-Q-Inst-Session-Id: 14F2FF0000003B59119C39
Address Origin        : AAA
OT HTTP Rdr IP-FltrId : N/A
OT HTTP Rdr Status    : N/A
OT HTTP Rdr Fltr Src  : N/A
HTTP Rdr URL Override : N/A
GTP local break-out   : No
DIAMETER session ID Gx: N/A
-------------------------------------------------------------
[1/1/1:13]             open-dhcp-3
  2001:db8::100/128
    00:0c:29:00:00:12    N/A       IPoE-DHCP6   Fwding
-------------------------------------------------------------
  
---snip---
  
-------------------------------------------------------------
[1/1/1:13]             open-dhcp-3
  2001:db8:40:100::/56
    00:0c:29:00:00:12    N/A       IPoE-DHCP6   Fwding
-------------------------------------------------------------
  
---snip---
  
-------------------------------------------------------------
[1/1/1:23]             open-pppoe-3|1
  10.10.0.231
    00:0c:29:00:00:23    1         IPCP         Fwding
-------------------------------------------------------------
  
---snip---
  
-------------------------------------------------------------
[1/1/1:23]             open-pppoe-3|1
  2001:db8:0:1::100/128
    00:0c:29:00:00:23    1         PPP-DHCP6    Fwding
-------------------------------------------------------------
  
---snip---
  
-------------------------------------------------------------
[1/1/1:23]             open-pppoe-3|1
  2001:db8:40:200::/56
    00:0c:29:00:00:23    1         PPP-DHCP6    Fwding
-------------------------------------------------------------
Subscriber-interface  : sub-int-1
Group-interface       : grp-int-1
Sub Profile           : ludb-sub
SLA Profile           : ludb-sla
App Profile           : N/A
Egress Q-Group        : N/A
Egress Vport          : N/A
Acct-Session-Id       : 14F2FF0000004259119D4E
Acct-Q-Inst-Session-Id: 14F2FF0000004059119D4E
Address Origin        : AAA
OT HTTP Rdr IP-FltrId : N/A
OT HTTP Rdr Status    : N/A
OT HTTP Rdr Fltr Src  : N/A
HTTP Rdr URL Override : N/A
GTP local break-out   : No
DIAMETER session ID Gx: N/A
-------------------------------------------------------------
Number of subscriber hosts : 6
=============================================================
*A:BNG-1#

The following command shows that the subscriber identity is set to circuit-id (plus session-id) as instructed by the auto-sub-id-key command (the subscriber-id string is not returned via LUDB or RADIUS). The lease times are set to 30 minutes as defined by RADIUS for IPv4 addresses and by the group-interface for IPv6 addresses/prefixes (proxy-case). The username passed to RADIUS is the circuit-id or username appended with the domain1 domain name. The origin of the lease is RADIUS.

*A:BNG-1# show service id 1 dhcp lease-state detail
 
===============================================================================
DHCP lease states for service 1
===============================================================================
Service ID           : 1
IP Address           : 10.10.0.230
Client HW Address    : 00:0c:29:00:00:13
Subscriber-interface : sub-int-1
Group-interface      : grp-int-1
SAP                  : [1/1/1:13]
Termination Type     : local
Up Time              : 0d 00:06:17
Remaining Lease Time : 0d 00:23:43
Remaining SessionTime: N/A
Persistence Key      : N/A
 
Sub-Ident            : "open-dhcp-3"
Sub-Profile-String   : "ludb-sub"
SLA-Profile-String   : "ludb-sla"
App-Profile-String   : ""
Lease ANCP-String    : ""
Lease Int Dest Id    : "open-auth-vport"
Category-Map-Name    : ""
 
Lease Info origin    : Radius
 
Ip-Netmask           : 255.255.255.0
Broadcast-Ip-Addr    : 10.10.0.255
Default-Router       : 10.10.0.1
Primary-Dns          : 172.16.20.20
Secondary-Dns        : 172.16.20.21
Primary-Nbns         : N/A
Secondary-Nbns       : N/A
 
ServerLeaseStart     : 05/09/2017 12:38:49
ServerLastRenew      : 05/09/2017 12:38:49
ServerLeaseEnd       : 05/09/2017 13:08:49
Session-Timeout      : N/A
IPoE|PPP session     : No
Lease-Time           : 0d 00:30:00
DHCP Server Addr     : N/A
 
Relay Agent Information
  Circuit Id         : open-dhcp-3
Radius User-Name     : "open-dhcp-3@domain1"
 
-------------------------------------------------------------------------------
Managed Routes
-------------------------------------------------------------------------------
IP Address                                  Status       Metric Tag        Pref
-------------------------------------------------------------------------------
192.168.1.0/24                              installed    0      none       0
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Number of lease states : 1
===============================================================================
*A:BNG-1#

For the purpose of brevity, the details for only two IPv6 prefixes are shown. The remaining two IPv6 leases are not shown because the output follows the same logic.

*A:BNG-1# show service id 1 dhcp6 lease-state detail
  
===============================================================================
DHCP lease states for service 1
===============================================================================
Service ID           : 1
IP Address           : 2001:db8::100/128
Client HW Address    : 00:0c:29:00:00:12
Subscriber-interface : sub-int-1
Group-interface      : grp-int-1
SAP                  : [1/1/1:13]
Termination Type     : local
Up Time              : 0d 00:06:24
Remaining Lease Time : 0d 00:23:37
Remaining SessionTime: N/A
Persistence Key      : N/A
  
Sub-Ident            : "open-dhcp-3"
Sub-Profile-String   : "ludb-sub"
SLA-Profile-String   : "ludb-sla"
App-Profile-String   : ""
Lease ANCP-String    : ""
Lease Int Dest Id    : "open-auth-vport"
Category-Map-Name    : ""
Dhcp6 ClientId (DUID): 0001000120a33b41000c29000012
Dhcp6 IAID           : 2
Dhcp6 IAID Type      : non-temporary
Dhcp6 Client Ip      : fe80::20c:29ff:fe00:12
Primary-Dns          : 2001:db8::2000
Secondary-Dns        : 2001:db8::2001
Pool Name            : ""
Dhcp6 Server Addr    : N/A
Dhcp6 ServerId (DUID): N/A
Dhcp6 InterfaceId    : open-dhcp-3
Dhcp6 RemoteId       : N/A
Radius sub-if prefix : N/A
Router adv. policy   : N/A
  
Lease Info origin    : Radius
  
ServerLeaseStart     : 05/09/2017 12:38:59
ServerLastRenew      : 05/09/2017 12:38:59
ServerLeaseEnd       : 05/09/2017 13:08:59
Session-Timeout      : N/A
IPoE|PPP session     : No
Radius User-Name     : "open-dhcp-3@domain1"
-------------------------------------------------------------------------------
Service ID           : 1
IP Address           : 2001:db8:0:1::100/128
Client HW Address    : 00:0c:29:00:00:23
Subscriber-interface : sub-int-1
Group-interface      : grp-int-1
SAP                  : [1/1/1:23]
  
---snip---
  
-------------------------------------------------------------------------------
Service ID           : 1
IP Address           : 2001:db8:40:100::/56
Client HW Address    : 00:0c:29:00:00:12
Subscriber-interface : sub-int-1
Group-interface      : grp-int-1
SAP                  : [1/1/1:13]
  
---snip---
  
-------------------------------------------------------------------------------
Service ID           : 1
IP Address           : 2001:db8:40:200::/56
Client HW Address    : 00:0c:29:00:00:23
Subscriber-interface : sub-int-1
Group-interface      : grp-int-1
SAP                  : [1/1/1:23]
Termination Type     : local
Up Time              : 0d 00:01:58
Remaining Lease Time : 0d 00:28:02
Remaining SessionTime: N/A
Persistence Key      : N/A
 
Sub-Ident            : "open-pppoe-3|1"
Sub-Profile-String   : "ludb-sub"
SLA-Profile-String   : "ludb-sla"
App-Profile-String   : ""
Lease ANCP-String    : ""
Lease Int Dest Id    : "open-auth-vport"
Category-Map-Name    : ""
Dhcp6 ClientId (DUID): 0001000120a45903000c29000023
Dhcp6 IAID           : 1
Dhcp6 IAID Type      : prefix
Dhcp6 Client Ip      : fe80::20c:29ff:fe00:23
Primary-Dns          : 2001:db8::2000
Secondary-Dns        : 2001:db8::2001
Pool Name            : ""
Dhcp6 Server Addr    : N/A
Dhcp6 ServerId (DUID): N/A
Dhcp6 InterfaceId    : open-pppoe-3
Dhcp6 RemoteId       : N/A
Radius sub-if prefix : N/A
Router adv. policy   : N/A
 
Lease Info origin    : Radius
 
ServerLeaseStart     : 05/09/2017 12:43:26
ServerLastRenew      : 05/09/2017 12:43:26
ServerLeaseEnd       : 05/09/2017 13:13:26
Session-Timeout      : N/A
IPoE|PPP session     : PPP
Radius User-Name     : "open-pppoe-3@domain1"
-------------------------------------------------------------------------------
Number of lease states : 4
===============================================================================
*A:BNG-1#
IP Proxy Case with LUDB + RADIUS Authentication

The IP address is assigned via LUDB.

  • RADIUS provides sub/sla-profile strings and a framed IPv4 route.

  • LUDB provides IP addresses (IPv6 lease-times are provided under the group-interface) and related parameters (DNS server, IPv4 default-gateway, etc), inter-dest-id string for Vport assignment and msap-defaults (routing context parameters and msap-policy).

Vport aggregate rate limit and the port scheduler are now added to the physical port. The Vport is associated with the subscriber through the inter-dest-id string obtained via the LUDB.

configure
    port 1/1/1
        ethernet
            mode access
            encap-type dot1q
            egress-scheduler-policy "port"
            access
                egress
                    vport "open-dhcp" create
                        agg-rate
                            rate 500
                        exit
                        host-match dest "open-auth-vport" create
                    exit
                exit
            exit
        exit
        no shutdown
    exit
exit

The LUDB is used to assign the inter-dest-id string, host IP addresses and IP addressing parameters. The DHCP lease time for IPv4 addresses is set to 15 minutes in the LUDB while lease times for IPv6 addresses/prefixes is set under the group-interface (set to 30 minutes).

The domain name domain1 is appended to the username (circuit-id = open-dhcp-4 or username = open-pppoe-4) before an Access-Request is sent to the RADIUS server that is configured in the authentication-policy auth-pol-1.

configure
    subscriber-mgmt
        local-user-db "ludb-4" create
            description "for CASE-4"
            ipoe
                match-list circuit-id 
                host "open-dhcp-4" create
                    host-identification
                        circuit-id string "open-dhcp-4"
                    exit
                    address 10.10.0.230
                    auth-policy "auth-pol-1"
                    auth-domain-name "domain1"
                    identification-strings 254 create
                        inter-dest-id "open-auth-vport"
                    exit
                    msap-defaults
                        group-interface "grp-int-1"
                        policy "msap-pol-1"
                        service 1
                    exit
                    options
                        subnet-mask 255.255.255.0
                        default-router 10.10.0.254
                        dns-server 172.16.20.20 172.16.20.21
                        lease-time min 15
                    exit
                    options6
                        dns-server 2001:DB8::2000 2001:DB8::2001
                    exit
                    ipv6-address 2001:DB8::100
                    ipv6-delegated-prefix 2001:DB8:40:100::/56
                    no shutdown
                exit
            exit
            ppp
                match-list circuit-id mac username 
                host "open-ppp-4" create
                    host-identification
                        username "open-pppoe-4"
                    exit
                    auth-policy "auth-pol-1"
                    address 10.10.0.231/32
                    password chap "letmein"
                    identification-strings 254 create
                        inter-dest-id "open-auth-vport"
                    exit
                    msap-defaults
                        group-interface "grp-int-1"
                        policy "msap-pol-1"
                        service 1
                    exit
                    options
                        dns-server 172.16.20.20 172.16.20.21
                    exit
                    options6
                        dns-server 2001:DB8::2000 2001:DB8::2001
                    exit
                    ipv6-address 2001:DB8::1:0:0:0:100
                    ipv6-delegated-prefix 2001:DB8:40:200::/56
                    no shutdown
                exit
            exit
            no shutdown
        exit
    exit
exit

RADIUS is defined via the authentication-policy. The domain name can be appended to the PPPoE subscriber host directly via authentication-policy while for IPoE subscribers, the domain name is appended via authentication policy in conjunction with LUDB.

configure
    subscriber-mgmt
        authentication-policy "auth-pol-1" create
            description "RADIUS authentication policy"
            password "letmein"
            ppp-user-name append "domain1"
            user-name-format circuit-id append
            accept-authorization-change
            pppoe-access-method pap-chap
            radius-server-policy "rad-serv-pol-1"
        exit
    exit
exit

The RADIUS user configuration file uses the domain extension as inserted by the SR OS to authenticate the user.

open-dhcp-4@domain1   Cleartext-Password := "letmein"
            Alc-Subsc-Prof-Str = rad-sub,
            Alc-SLA-Prof-Str = rad-sla,
            Framed-Route = "192.168.1.0/24 0.0.0.0",

open-pppoe-4@domain1  Cleartext-Password := "letmein"
            Alc-Subsc-Prof-Str = rad-sub,
            Alc-SLA-Prof-Str = rad-sla,
            Framed-Route = "192.168.2.0/24 0.0.0.0",

The group interface configuration is as follows. Common parts of the configuration as defined earlier still apply.

configure
    service
        vprn 1 customer 1 create
            subscriber-interface "sub-int-1" create
                group-interface "grp-int-1" create
                    ipv6
                        user-db "ludb-4"
                        dhcp6
                            proxy-server
                                renew-timer min 7 
                                rebind-timer min 10 
                                valid-lifetime min 30 
                                preferred-lifetime min 15 
                                client-applications dhcp ppp
                                no shutdown
                            exit
                        exit
                    exit
                    dhcp
                        proxy-server
                            emulated-server 10.12.0.1
                            no shutdown
                        exit
                        user-db "ludb-4
                    exit
                exit
            exit
        exit
    exit
exit

RADIUS sub/sla-profiles supplied by RADIUS are defined as:

configure
    subscriber-mgmt
        sla-profile "ludb-sla" create
            description "sla-profile obtained via LUDB"
            host-limits
                overall 3
            exit
            egress
                qos 1 vport-scheduler
                exit
                ip-filter 1
            exit
        exit
        sub-profile "ludb-sub" create
            description "sub-profile obtained via LUDB"
            egress
                agg-rate-limit 15000 
            exit
        exit 
    exit
exit
Show Commands

The following command shows that the rad-sub/sla-profiles, as provided by RADIUS, are in use. The IP addresses are provided by LUDB. The subscriber-id is auto-generated (not returned via the LUDB or RADIUS) and it is set to circuit-id for IPoE subscriber-host(s) and to username|session-id combination for PPPoE subscriber host(s).

*A:BNG-1# show service active-subscribers
 
===============================================================================
Active Subscribers
===============================================================================
-------------------------------------------------------------------------------
Subscriber open-dhcp-4 (rad-sub)
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
(1) SLA Profile Instance sap:[1/1/1:14] - sla:rad-sla
-------------------------------------------------------------------------------
IP Address
                MAC Address          Session        Origin       Svc        Fwd
-------------------------------------------------------------------------------
10.10.0.230
                00:0c:29:00:00:14    N/A            DHCP         1          Y
2001:db8::100/128
                00:0c:29:00:00:14    N/A            DHCP6        1          Y
2001:db8:40:100::/56
                00:0c:29:00:00:14    N/A            DHCP6        1          Y
-------------------------------------------------------------------------------
 
-------------------------------------------------------------------------------
Subscriber open-pppoe-4|1 (rad-sub)
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
(1) SLA Profile Instance sap:[1/1/1:24] - sla:rad-sla
-------------------------------------------------------------------------------
IP Address
                MAC Address          Session        Origin       Svc        Fwd
-------------------------------------------------------------------------------
10.10.0.231
                00:0c:29:00:00:24    PPP 1          IPCP         1          Y
2001:db8:0:1::100/128
                00:0c:29:00:00:24    PPP 1          DHCP6        1          Y
2001:db8:40:200::/56
                00:0c:29:00:00:24    PPP 1          DHCP6-PD     1          Y
-------------------------------------------------------------------------------
 
-------------------------------------------------------------------------------
Number of active subscribers : 2
===============================================================================
*A:BNG-1#

The following command shows more details about the subscriber-host, such as the group-interface, vport, address origin, acct-session-id, etc. Vport is selected based on the inter-dest-id string as supplied via RADIUS.

For the purpose of brevity, the details for only two hosts is shown, one with IPv4 address and one with IPv6 prefix. The remaining IP addresses/prefixes are not shown because the output follows the same logic.

*A:BNG-1# show service id 1 subscriber-hosts detail
 
=============================================================
Subscriber Host table
=============================================================
Sap                    Subscriber
  IP Address
    MAC Address          PPPoE-SID Origin       Fwding State
-------------------------------------------------------------
[1/1/1:14]             open-dhcp-4
  10.10.0.230
    00:0c:29:00:00:14    N/A       DHCP         Fwding
-------------------------------------------------------------
Subscriber-interface  : sub-int-1
Group-interface       : grp-int-1
Sub Profile           : rad-sub
SLA Profile           : rad-sla
App Profile           : N/A
Egress Q-Group        : N/A
Egress Vport          : open-dhcp
Acct-Session-Id       : 14F2FF000000475911D18B
Acct-Q-Inst-Session-Id: 14F2FF000000445911D087
Address Origin        : Static
OT HTTP Rdr IP-FltrId : N/A
OT HTTP Rdr Status    : N/A
OT HTTP Rdr Fltr Src  : N/A
HTTP Rdr URL Override : N/A
GTP local break-out   : No
DIAMETER session ID Gx: N/A
-------------------------------------------------------------
[1/1/1:14]             open-dhcp-4
  2001:db8::100/128
    00:0c:29:00:00:14    N/A       IPoE-DHCP6   Fwding
-------------------------------------------------------------
Subscriber-interface  : sub-int-1
Group-interface       : grp-int-1
Sub Profile           : rad-sub
SLA Profile           : rad-sla
  
---snip---
  
-------------------------------------------------------------
[1/1/1:14]             open-dhcp-4
  2001:db8:40:100::/56
    00:0c:29:00:00:14    N/A       IPoE-DHCP6   Fwding
-------------------------------------------------------------
Subscriber-interface  : sub-int-1
Group-interface       : grp-int-1
Sub Profile           : rad-sub
SLA Profile           : rad-sla
App Profile           : N/A
  
---snip---
  
-------------------------------------------------------------
[1/1/1:24]             open-pppoe-4|1
  10.10.0.231
    00:0c:29:00:00:24    1         IPCP         Fwding
-------------------------------------------------------------
Subscriber-interface  : sub-int-1
Group-interface       : grp-int-1
Sub Profile           : rad-sub
SLA Profile           : rad-sla
  
---snip---
  
-------------------------------------------------------------
[1/1/1:24]             open-pppoe-4|1
  2001:db8:0:1::100/128
    00:0c:29:00:00:24    1         PPP-DHCP6    Fwding
-------------------------------------------------------------
Subscriber-interface  : sub-int-1
Group-interface       : grp-int-1
Sub Profile           : rad-sub
SLA Profile           : rad-sla
  
---snip---
  
-------------------------------------------------------------
[1/1/1:24]             open-pppoe-4|1
  2001:db8:40:200::/56
    00:0c:29:00:00:24    1         PPP-DHCP6    Fwding
-------------------------------------------------------------
Subscriber-interface  : sub-int-1
Group-interface       : grp-int-1
Sub Profile           : rad-sub
SLA Profile           : rad-sla
App Profile           : N/A
Egress Q-Group        : N/A
Egress Vport          : open-dhcp
Acct-Session-Id       : 14F2FF0000004C5911D288
Acct-Q-Inst-Session-Id: 14F2FF0000004A5911D288
Address Origin        : Static
OT HTTP Rdr IP-FltrId : N/A
OT HTTP Rdr Status    : N/A
OT HTTP Rdr Fltr Src  : N/A
HTTP Rdr URL Override : N/A
GTP local break-out   : No
DIAMETER session ID Gx: N/A
-------------------------------------------------------------
Number of subscriber hosts : 6
=============================================================
*A:BNG-1#

The following command shows that the subscriber identity is set to circuit-id (plus session-id) as instructed by the auto-sub-id-key command (the subscriber-id string is not returned via the LUDB or RADIUS). The DHCPv4 lease time is set to set to 15 minutes as defined by the LUDB. The DHCPv6 lease times are set to 30 minutes as configured under the group-interface. The username passed to RADIUS is the circuit-id or username appended with the domain1 domain name. The origin of the lease is RADIUS.

*A:BNG-1# show service id 1 dhcp lease-state detail
 
===============================================================================
DHCP lease states for service 1
===============================================================================
Service ID           : 1
IP Address           : 10.10.0.230
Client HW Address    : 00:0c:29:00:00:14
Subscriber-interface : sub-int-1
Group-interface      : grp-int-1
SAP                  : [1/1/1:14]
Termination Type     : local
Up Time              : 0d 00:09:25
Remaining Lease Time : 0d 00:13:07
Remaining SessionTime: N/A
Persistence Key      : N/A
 
Sub-Ident            : "open-dhcp-4"
Sub-Profile-String   : "rad-sub"
SLA-Profile-String   : "rad-sla"
App-Profile-String   : ""
Lease ANCP-String    : ""
Lease Int Dest Id    : "open-auth-vport"
Category-Map-Name    : ""
 
Lease Info origin    : UserDb
 
Ip-Netmask           : 255.255.255.0
Broadcast-Ip-Addr    : 10.10.0.255
Default-Router       : 10.10.0.254
Primary-Dns          : 172.16.20.20
Secondary-Dns        : 172.16.20.21
Primary-Nbns         : N/A
Secondary-Nbns       : N/A
 
ServerLeaseStart     : 05/09/2017 16:26:19
ServerLastRenew      : 05/09/2017 16:33:50
ServerLeaseEnd       : 05/09/2017 16:48:50
Session-Timeout      : N/A
IPoE|PPP session     : No
Lease-Time           : 0d 00:15:00
DHCP Server Addr     : N/A
 
Relay Agent Information
  Circuit Id         : open-dhcp-4
Radius User-Name     : "open-dhcp-4@domain1"
 
-------------------------------------------------------------------------------
Managed Routes
-------------------------------------------------------------------------------
IP Address                                  Status       Metric Tag        Pref
-------------------------------------------------------------------------------
192.168.1.0/24                              installed    0      none       0
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Number of lease states : 1
===============================================================================
*A:BNG-1#

For the purpose of brevity, the details for only two IPv6 leases is shown. The remaining two IPv6 leases are not shown because the output follows the same logic.

*A:BNG-1# show service id 1 dhcp6 lease-state detail
 
===============================================================================
DHCP lease states for service 1
===============================================================================
Service ID           : 1
IP Address           : 2001:db8::100/128
Client HW Address    : 00:0c:29:00:00:14
Subscriber-interface : sub-int-1
Group-interface      : grp-int-1
SAP                  : [1/1/1:14]
Termination Type     : local
Up Time              : 0d 00:13:48
Remaining Lease Time : 0d 00:23:11
Remaining SessionTime: N/A
Persistence Key      : N/A
 
Sub-Ident            : "open-dhcp-4"
Sub-Profile-String   : "rad-sub"
SLA-Profile-String   : "rad-sla"
App-Profile-String   : ""
Lease ANCP-String    : ""
Lease Int Dest Id    : "open-auth-vport"
Category-Map-Name    : ""
Dhcp6 ClientId (DUID): 0001000120a487cf000c29000014
Dhcp6 IAID           : 2
Dhcp6 IAID Type      : non-temporary
Dhcp6 Client Ip      : fe80::20c:29ff:fe00:14
Primary-Dns          : 2001:db8::2000
Secondary-Dns        : 2001:db8::2001
Pool Name            : ""
Dhcp6 Server Addr    : N/A
Dhcp6 ServerId (DUID): N/A
Dhcp6 InterfaceId    : open-dhcp-4
Dhcp6 RemoteId       : N/A
Radius sub-if prefix : N/A
Router adv. policy   : N/A
 
Lease Info origin    : UserDb
 
ServerLeaseStart     : 05/09/2017 16:22:26
ServerLastRenew      : 05/09/2017 16:29:25
ServerLeaseEnd       : 05/09/2017 16:59:25
Session-Timeout      : N/A
IPoE|PPP session     : No
Radius User-Name     : "open-dhcp-4@domain1"
-------------------------------------------------------------------------------
Service ID           : 1
IP Address           : 2001:db8:0:1::100/128
Client HW Address    : 00:0c:29:00:00:24
Subscriber-interface : sub-int-1
Group-interface      : grp-int-1
SAP                  : [1/1/1:24]
  
---snip---
  
-------------------------------------------------------------------------------
Service ID           : 1
IP Address           : 2001:db8:40:100::/56
Client HW Address    : 00:0c:29:00:00:14
Subscriber-interface : sub-int-1
Group-interface      : grp-int-1
SAP                  : [1/1/1:14]
  
---snip---
  
-------------------------------------------------------------------------------
Service ID           : 1
IP Address           : 2001:db8:40:200::/56
Client HW Address    : 00:0c:29:00:00:24
Subscriber-interface : sub-int-1
Group-interface      : grp-int-1
SAP                  : [1/1/1:24]
Termination Type     : local
Up Time              : 0d 00:05:44
Remaining Lease Time : 0d 00:24:16
Remaining SessionTime: N/A
Persistence Key      : N/A
 
Sub-Ident            : "open-pppoe-4|1"
Sub-Profile-String   : "rad-sub"
SLA-Profile-String   : "rad-sla"
App-Profile-String   : ""
Lease ANCP-String    : ""
Lease Int Dest Id    : "open-auth-vport"
Category-Map-Name    : ""
Dhcp6 ClientId (DUID): 0001000120a45933000c29000024
Dhcp6 IAID           : 1
Dhcp6 IAID Type      : prefix
Dhcp6 Client Ip      : fe80::20c:29ff:fe00:24
Primary-Dns          : 2001:db8::2000
Secondary-Dns        : 2001:db8::2001
Pool Name            : ""
Dhcp6 Server Addr    : N/A
Dhcp6 ServerId (DUID): N/A
Dhcp6 InterfaceId    : open-pppoe-4
Dhcp6 RemoteId       : N/A
Radius sub-if prefix : N/A
Router adv. policy   : N/A
 
Lease Info origin    : UserDb
 
ServerLeaseStart     : 05/09/2017 16:30:32
ServerLastRenew      : 05/09/2017 16:30:32
ServerLeaseEnd       : 05/09/2017 17:00:32
Session-Timeout      : N/A
IPoE|PPP session     : PPP
Radius User-Name     : "open-pppoe-4@domain1"
-------------------------------------------------------------------------------
Number of lease states : 4
===============================================================================
*A:BNG-1#

Troubleshooting Commands

The following output shows the debugging commands which can be used to troubleshoot problems with the different authentication models.

debug
    router "Base"
        radius
            packet-type authentication accounting coa
            detail-level medium
        exit
    exit
    router "1"
        ip
            dhcp
                detail-level high
                mode egr-ingr-and-dropped
            exit
            dhcp6
                mode egr-ingr-and-dropped
                detail-level high
            exit
        exit
        local-dhcp-server "svc-1-dhcp4"
            detail-level high
            mode egr-ingr-and-dropped
        exit
        local-dhcp-server "svc-1-dhcp6"
            detail-level high
            mode egr-ingr-and-dropped
        exit
    exit
    service
        id 1
            ppp
                packet
                    mode egr-ingr-and-dropped
                    detail-level high
                    discovery
                    ppp
                    dhcp-client
                exit
            exit
        exit
        id 2
            dhcp
                mode egr-ingr-and-dropped
                detail-level high
            exit
            dhcp6
                mode all
                detail-level high
            exit
            ppp
                packet
                    mode dropped-only
                    detail-level high
                    discovery
                    ppp
                    dhcp-client
                exit
            exit
        exit
    exit
    subscriber-mgmt
        local-user-db "ludb-1"
            detail all
        exit
        local-user-db "ludb-2"
            detail all
        exit
        local-user-db "ludb-3"
            detail all
        exit
        local-user-db "ludb-4"
            detail all
        exit
    exit
exit
configure
    log
        log-id 1
            from debug-trace
            to session
            no shutdown
        exit
    exit
exit

Conclusion

The flexible authentication model allows access to various sources (LUDB, RADIUS, and Python) of subscriber parameters during the subscriber establishment phase. This model can be utilized for IPoE, PPPoE or L2TP subscribers in IES or VPRN services (including a wholesale/retail VRF model). A typical use case would be in a wholesale/retail environment where the wholesaler enforces its own rules via the LUDB before it passes the authentication request to the retailer’s RADIUS server.