Authentication

Configure authentication for a new cMAG-c session, including the RADIUS authentication profile. Learn about the BNG EP and ADB lookup process.

Overview of the authentication process

The authentication process for a new session on cMAG-c performs a lookup in the following order:

  1. BNG EP for sessions
  2. authentication flow

The BNG EP lookup returns the following:

  • basic configurations for the CP protocol negotiation (for example, the IPoE profile)
  • basic session configuration (for example, subscriber identification)
  • the authentication flow used to authenticate the session

The authentication flow contains an ordered list of authentication databases (ADBs). The cMAG-c performs a lookup in each ADB in the list, in the specified order. The lookup returns the following configurations required to create the session:

  • session attributes (for example, the SLA profile and the subscriber profile)
  • address assignment configuration (for example, the local address pool name)
  • optional external AAA authentication (for example, RADIUS)

When both the BNG EP lookup and the authentication flow lookup complete successfully, the cMAG-c creates a full forwarding state on the MAG-u for the session using the session management procedures.

BNG entry point

The BNG entry point (EP) provides information needed in the authentication flow.

Use the following command to create a BNG EP.

subscriber-management entry-point

To define the control packet types that trigger the BNG EP lookup, use the following command.

subscriber-management ref-points up fixed-access ibcp-triggers
To reference the entry-point for the triggers, use the following command.
subscriber-management ref-points up fixed-access entry-point

The following example shows an EP configuration in the BNG profile.

# info from running /subscriber-management entry-point e1
    admin-state enable
    match 1 {
        attribute up-node-id
    }
    entry 10 {
        admin-state enable
        ipoe {
            authentication-flow {
                authentication-database [
                    adb1
                    adb2
                ]
            }
        }
    }

Authentication database

Each ADB entry contains three groups of configuration parameters:

  • match criteria
  • action parameters
  • session creation parameters (for example, SLA profile)

After the cMAG-c chooses the best matched entry in the ADB, the cMAG-c executes the configured action. The action can be any of the following types:

  • reject

    The session authentication fails and no subsequent ADB lookups are performed, even if they are configured as part of the authentication flow.

  • accept

    The cMAG-c includes the session creation configuration parameters of the chosen ADB entry for the session creation.

  • radius
    The cMAG-c performs the RADIUS authentication using the RADIUS authentication profile. Use the following command to configure the RADIUS authentication profile. 
    subscriber-management profiles radius-authentication-profile
    If the RADIUS authentication succeeds, the cMAG-c includes the returned RADIUS authentication attributes and the session creation configuration parameters for the session creation. If the RADIUS authentication fails, the session authentication fails.

The cMAG-c uses the session creation configuration parameters of all ADBs. The authentication flow contains an ordered list of ADBs. If ADBx comes before ADBy in the ordered list of ADBs, the values of the parameters in ADBy have priority over the values of the parameters in ADBx. For example, an authentication flow contains two ADBs, ADB1 and ADB2. If the matched entry in ADB1 returns sla-profile foo, and the matched entry in ADB2 returns sla-profile bar, a new session is created with sla-profile bar.

If a session creation configuration is not explicitly configured (for example, it equals the default value), the ADB lookup returns no value for this configuration. For example, an authentication flow contains two ADBs, ADB1 and ADB2. If ADB1 returns sla-profile bar, and the matched entry in ADB2 does not contain an explicit configuration for sla-profile (it equals the default value), a new session is created with sla-profile bar.

Some session creation configuration parameters support a special discard keyword. The discard keyword means that the previously returned ADB value for the attribute must be discarded. For example, an authentication flow contains two ADBs, ADB1 and ADB2. If ADB1 returns a value for to-client-dhcp-option-profile and ADB2 configures to-client-dhcp-option-profile discard, the cMAG-c creates the session without to-client-dhcp-option-profile.

Authentication flow

An authentication flow contains the following configuration items:

  • trigger packet type; for example, DHCPv4 discovery or PPPoE PADI packet
  • ordered list of one or more ADBs for the specified trigger packet type

When the MAG-u sends a trigger packet, the cMAG-c performs a lookup in each ADB in the list, in the specified order. Each ADB can return session-related configurations. These session-related configurations can be locally configured or returned from an external AAA server.

An IPoE session has only one authentication flow. A PPPoE session requires at least one of the following independent authentication flows:

  • PADI
  • PAP/CHAP

If an ADB lookup fails, the session setup fails. The ADB lookup may fail, for example, if an entry is matched with the reject action or if there is an AAA authentication failure.

If all lookups complete successfully, the cMAG-c continues session setup using the combined configurations from all ADB lookups. For example, the BNG EP lookup returns two authentication flows for a new PPPoE session. The authentication flows return the following configuration:

  • PADI authentication flow with 1 ADB: ADB1 returns PADO delay value
  • PAP/CHAP authentication flow with 2 ADBs: ADB2 configures RADIUS authentication, ADB3 returns a local address pool

In this example, the cMAG-c uses the combined configuration result from the three ADB lookups to set up the PPPoE session.

Each session requires a service configuration, as described in Service selection. The service can also provide override for specific configurations. If different types of sources return the same type of configuration (for example, an address pool name), the cMAG-c uses the value of the source with the highest ranking. The sources are ranked as follows, with the highest ranked first:

  1. AAA
  2. Local ADB
  3. Service

If different sources of the same type (for example, different ADBs) return the same type of configuration, the cMAG-c uses the last returned value. For example, if both ADB1 and ADBN return an SLA profile name, and ADB1 returns SLA profile name X and ADBN returns SLA profile name Y, the system uses SLA profile name Y because it is the last returned value.

BNG EP and ADB lookup

Both the BNG EP entries and the ADB entries contain session configuration and one or more ordered match criteria. The match criteria are used in the lookup. The session configuration is used in the creation of the session.

Match criteria properties

Match criteria have the following properties:
  • match-id

    The match ID defines the priority. The lower the ID, the higher the priority.

  • attribute

    The attribute defines the name of the attribute that is used for the lookup. It is the name of a session attribute. The attribute can be a control protocol field (for example, DHCP option 82 circuit-id, vendor-class), data packet field (for example, source-ip-prefix), or metadata of the session (for example, l2-access-id).

  • value

    The value defines the criteria value to which the session value must match for the specified attribute. If the attribute is optional, the value can be empty, meaning any session value matches with the criteria value.

  • optional

    Match criteria can be optional or mandatory. The attribute of optional criteria does need to be present in the session data to match the entry. If the attribute of optional criteria is present in the session data, the session value must equal the criteria value to match the entry. An attribute that is not present in the entry can have any value in the session (including not available).

  • string-mask

    A string mask is applied to the value of the session attribute before comparing it with the value of the criteria. It can be used for supported attributes (for example, l2-access-id).

The string mask can be length-based or string-based and can be a suffix or a prefix, as follows:

  • prefix
    • length-based

      The cMAG-c removes the specified number of characters from the beginning of the session value.

    • string-based

      The cMAG-c removes the specified string from the beginning of the session value. An asterisk (*) can be used as a wild-card in the string mask.

  • suffix
    • length-based

      The cMAG-c removes the specified number of characters from the end of the session value.

    • string-based

      The cMAG-c removes the specified string from the end of the session value. An asterisk (*) can be used as a wild-card in the string mask.

The following examples show the string that is used to compare the session value of l2-access-id with the criteria value for a specific string mask configuration. Assume that the session value of l2-access-id equals 1/2/3.
  • For string-mask equal to prefix length 2, the cMAG-c removes the first two characters of the session value. The resulting value 2/3 is used to match with the end of the criteria value; for example, the resulting value 2/3 matches with the criteria value 4/2/3.
  • For string-mask equal to suffix string "/*”, the cMAG-c removes the last slash (/) and everything after it at the end of the session value. The resulting value 1/2 is used to match with the beginning of the criteria value; for example, the resulting value 1/2 matches with the criteria value 1/2/4.

Default entries

If a BNG EP entry or an ADB entry does not have any match criteria, this BNG EP entry or ADB entry is the default entry. The cMAG-c chooses the default entry when there is no other matched entry. Only one default entry is allowed for the BNG EPs and for the ADBs.

Entry matching

Entries of a BNG EP or of an ADB cannot have the same set of match criteria within the same BNG EP or ADB. In this case, the entry becomes operationally down. The system does allow entries with the same match criteria in different BNG EPs or ADBs.

During a BNG EP or ADB lookup, the cMAG-c compares the attributes of the session with the match criteria of all entries in the BNG EP or in the ADB and creates a list of all matched entries. A matched entry is one for which all mandatory match criteria are fulfilled.

At the end of the lookup, the cMAG-c chooses the best matched entry from the list of all matched entries for session creation. The cMAG-c chooses an entry from the list as follows:
  • If the list of all matched entries contains only one entry, that entry is the best match.
  • If the list of all matched entries contains more than one entry, the cMAG-c reduces the list to the entries with the highest number of match criteria. If this list contains only one entry, that entry is the best match.
  • If the reduced list of entries with the highest number of match criteria contains more than one entry, the cMAG-c selects the entry with matches for the highest priority attributes.

Example mandatory and optional match criteria

As an example, the match criteria for an ADB entry contain the attribute l2-access-id (marked optional) and the attribute up-ip (mandatory). To call the ADB entry a matched entry, one of the following must be true.

  • Both up-ip and l2-access-id are present in the session and both match the values in the ADB entry.
  • Only up-ip is present in the session and it matches the value in the ADB entry.

If both l2-access-id and up-ip are present in the session, but only l2-access-id matches the value in the ADB entry, the ADB entry is not a matched entry.

Example entry matching and selection

The following output defines the configuration of four ADB entries.

# info from running /subscriber-management authentication-database testdb
    admin-state enable
    match 1 {
        !!! first match criteria is UP node id
        attribute up-node-id
        optional true
    }
    match 2 {
        !!! 2nd match criteria is layer2 access ID
        attribute l2-access-id
        optional true
    }
    match 3 {
        !!! 3rd match criteria is SVLAN
        attribute s-vlan
        optional true
    }
    entry 10 {
        admin-state enable
        match {
            up-node-id 172.16.10.50
            l2-access-id 1/1/2
            s-vlan-range {
                start 100
                end 200
            }
        }
        up-parameters {
            sla-profile entry10
            sub-profile entry10
        }
    }
    entry 20 {
        admin-state enable
        match {
            up-node-id 172.16.10.50
            l2-access-id 1/1/2
        }
        up-parameters {
            sla-profile entry20
            sub-profile entry20
        }
        charging {
            profiles [
                mybngcharging
            ]
        }
    }
    entry 30 {
        admin-state enable
        match {
            l2-access-id 1/1/2
            s-vlan-range {
                start 100
                end 200
            }
        }
        up-parameters {
            sla-profile entry30
            sub-profile entry30
        }
    }
    entry 40 {
        admin-state enable
        match {
            s-vlan-range {
                start 100
                end 200
            }
        }
        up-parameters {
            sla-profile entry40
            sub-profile entry40
        }
    }

A new session has the following attributes and values:

  • up-node-id with value 172.16.10.50
  • l2-access-id with value 1/1/2
  • s-vlan with value 100

The session matches with all ADB entries. The cMAG-c chooses the entry 10 because it has the highest number of matching criteria; that is, three matching criteria.

Assume entry 10 is shut down. Both entries 20 and 30 have the highest number of matching criteria; that is, two matching criteria. The cMAG-c chooses entry 20 because it has the matching criteria with the highest priority; that is, up-ip.

Assume all entries except entry 40 are shutdown. The cMAG-c chooses the only matching entry; that is, entry 40.

Required minimal configuration for a session creation

To create a session, the cMAG-c requires a minimal number of session creation configuration parameters. The table lists the parameters that are required for session creation, as well as the source that contains those parameters.

Table 1. Minimal configuration for a session creation
Configuration Source
authentication-flow BNG EP
service ADB, RADIUS
address-assignment ADB, RADIUS
sla-profile1 ADB, RADIUS
sub-profile1 ADB, RADIUS
group-interface-template1 ADB, RADIUS
sap-template1 ADB, RADIUS
1 If the MAG-u contains a template or a profile with the name default, the default template or profile is used when the authentication does not return a template or profile. If the MAG-u does not contain a specific template or profile with the name default, the configuration of the parameters is required.

RADIUS authentication profile

RADIUS authentication is performed when the action parameter in the best-matched ADB entry is set to radius. The RADIUS authentication profile defines the RADIUS authentication behavior. Use the following command to define the profile.
subscriber-management profiles radius-authentication-profile

RADIUS authentication is triggered by the ADB lookup. Consequently, it is possible to have multiple rounds of RADIUS authentication during the authentication flow lookup. If the same attributes are returned in the Access-Accept message during multiple authentication rounds, the last attribute received is used.

A RADIUS authentication profile contains the following configuration commands:

  • server-selection-profile

    The server-selection-profile command references a RADIUS server selection profile that is defined using the following command.
    subscriber-management profiles radius-server-selection-profile
    The RADIUS server selection profile references one or multiple RADIUS servers configured in the subscriber-management ref-points aaa radius context.

    The RADIUS server configuration contains a server address, port, secret, and other server-specific configuration, while the RADIUS server selection profile contains access-related configuration; for example the access algorithm for selecting the RADIUS server to send the request to from a list of servers.

  • user-name-format

    The user-name-format command defines the username format for the RADIUS server.

    Use the data-trigger-source-ip option in the following command to send the source IP address of the data-trigger packet.

    subscriber-management profiles radius-authentication-profile username-format ipoe format

  • password

    The password command defines the password of the RADIUS user.

  • include-attribute

    The include-attribute command defines the RADIUS attributes to be included in an Access-Request message. Use the commands in the following context to define the attributes to include.
    subscriber-management profiles radius-authentication-profile include-attributes

    See the cMAG-c RADIUS Attributes and IU Triggers for more information about the attributes and the messages they may appear in.

The username and password configuration are required for IPoE authentication and PPPoE PADI authentication.

RADIUS CoA and DM

A RADIUS Change of Authorization (CoA) message or a Disconnect Message (DM) asks for changes in the session or subscriber object.

To enable support for RADIUS CoA and DM messages, use the following command.
subscriber-management ref-points aaa radius dynamic-authorization

The listening address and port are provisioned via the Kubernetes service. See the cMAG-c Installation Guide for more information.

When the cMAG-c receives a CoA or DM message, it makes the requested change to the target object. The cMAG-c RADIUS Attributes and IU Triggers list defines the message attributes that can be used to identify one or multiple sessions as target object. Filter on the value True for the CoA key column to find those attributes in the list. If a subscriber is specified in the request, the cMAG-c applies the requested changes to all sessions of the targeted subscriber.

The CoA message contains one or more attributes that define the requested changes; for example, the Alc-SLA-Prof-Str VSA defines a new SLA profile for the target object. For more information about the supported attributes, see the cMAG-c RADIUS Attributes and IU Triggers.

If the cMAG-c applies all requested changes successfully to all targeted objects, the cMAG-c sends a CoA-ACK message to the RADIUS server. If the cMAG-c can apply the requested changes only partially or only on a subset of the target objects, the cMAG-c sends a CoA-NAK message and rolls back the changes as follows:

  • If the change request is for multiple attributes on a single session and only part of the attribute changes are successful, the cMAG-c sends a CoA-NAK message with ERROR-CAUSE code 404, and rolls back the already applied changes.
  • If the change request is for multiple attributes on multiple sessions and the changes are successful only for a part of all the target sessions, the cMAG-c sends a CoA-NAK message with ERROR-CAUSE code 506 and rolls back the applied changes for the sessions that were only partially changed. For example, if a CoA message requests to change three attributes on five sessions, the cMAG-c successfully applies all attribute changes on session 1, session 2, and session 3 but only one attribute change on session 4 and session 5. The cMAG-c sends a CoA-NAK message with ERROR-CAUSE code 506 and rolls back the attribute change on session 4 and session 5.

A DM message only contains target objects. The cMAG-c removes the sessions of the target objects and sends an ACK message. If the target objects do not exist, the cMAG-c sends a CoA-NAK message with ERROR-CAUSE code 503.

If a CoA or DM message contains an unsupported attribute, the cMAG-c rejects the request with a CoA-NAK message by default. To ignore unsupported attributes, use the following command.
subscriber-management ref-points aaa radius dynamic-authorization ignore-unknown-attributes

Example configuration

The example configurations in this section are for the following setup:

  • IPoE session
  • RADIUS authentication
  • address pool pool-up-1 for sessions from MAG-u 1.1.1.1
  • address pool pool-up-2 for sessions from MAG-u 2.2.2.2
  • sla-profile basic, sub-profile basic, and authentication with radius-auth-profile-1 for sessions with s-vlan 100
  • sla-profile premium, sub-profile premium, and authentication with radius-auth-profile-2 for sessions with s-vlan 200

This setup uses an authentication flow with three ADBs for which the following are returned:

  • ADB adb1 only returns the address pool.
  • ADB adb2 only returns the sla-profile and the sub-profile, and performs RADIUS authentication.
  • ADB adb3 returns the other configuration parameters.

ADB configuration with three ADBs

# info from running /subscriber-management 
  authentication-database adb1 {
        admin-state enable
        match 1 {
            attribute up-node-id
        }
        entry up-1 {
            admin-state enable
            match {
                up-node-id 1.1.1.1
            }
            address-assignment {
                local-dynamic {
                    ipv4-pool pool-up-1
                }
            }
        }
        entry up-2 {
            admin-state enable
            match {
                up-node-id 2.2.2.2
            }
            address-assignment {
                local-dynamic {
                    ipv4-pool pool-up-2
                }
            }
        }
    }
    authentication-database adb2 {
        admin-state enable
        match 1 {
            attribute s-vlan
        }
        entry basic {
            admin-state enable
            match {
                s-vlan 100
            }
            action {
                radius {
                    authentication-profile radius-auth-profile-1
                }
            }
            up-parameters {
                sla-profile basic
                sub-profile basic
            }
        }
        entry premium {
            admin-state enable
            match {
                s-vlan 200
            }
            action {
                radius {
                    authentication-profile radius-auth-profile-1
                }
            }
            up-parameters {
                sla-profile premium
                sub-profile premium
            }
        }
    }
    authentication-database adb3 {
        admin-state enable
        entry default {
            admin-state enable
            service-name mybng
            up-parameters {
                group-interface-template defaultgroup
                sap-template defaultsap
            }
        }
    }

The following example shows the configuration of the BNG EP.

BNG EP configuration

# info from running /subscriber-management 
    entry-point e1 {
        admin-state enable
        entry 10 {
            admin-state enable
            ipoe {
                authentication-flow {
                    authentication-database [
                        adb1
                        adb2
                        adb3
                    ]
                }
            }
        }
    }
The following example shows a reference to the BNG EP configured in the following context.
subscriber-management ref-points up fixed-access

BNG EP reference configuration

# info from running /subscriber-management ref-points up fixed-access
    entry-point e1
    ibcp-triggers {
        ipoe-dhcp true
    }