Authentication

Configure authentication for a new MAG-c session, including the RADIUS authentication profile. Learn about the BNG EP and ADB lookup process.

Overview of the authentication process

The authentication process for a new session on MAG-c performs a lookup in the following order:

  1. BNG EP for fixed sessions or APN for FWA sessions
  2. authentication flow

The BNG EP or APN lookup returns the following:

  • basic configurations for the CP protocol negotiation (for example, the IPoE profile, the PPPoE profile)
  • basic session configuration (for example, subscriber identification)
  • the authentication flow used to authenticate the session

The authentication flow contains an ordered list of Authentication Databases (ADBs). The MAG-c performs a lookup in each ADB in the list, in the specified order. The lookup returns the following configurations required to create the session:

  • session attributes (for example, the SLA profile and the subscriber profile)
  • address assignment configuration (for example, the local address pool name)
  • optional external AAA authentication (for example, RADIUS)

When both the BNG EP or APN lookup and the authentication flow lookup complete successfully, the MAG-c creates a full forwarding state on the BNG-UP for the session using the session management procedures.

BNG entry point (EP)

The BNG entry point (EP) provides information needed in the authentication flow. This section describes how to create and configure a BNG EP.

Use the following command to create a BNG EP.

configure mobile-gateway pdn gw-id sx-n4 signaling ibcp bng-entry-point name
configure mobile-gateway pdn 1 sx-n4 signaling ibcp bng-entry-point e1
Note: Each Sx-N4 reference point can reference only one BNG EP; that is, BNG EP e1 and e2 must not be referenced in the same config>mobile>pdn>sx-n4 context.

To define the control packet types that trigger the BNG EP lookup, use the following command:

configure mobile-gateway pdn gw-id sx-n4 signaling ibcp triggers [pppoe-discover] [ipoe-dhcp] [ipoe-dhcpv6] [ipoe-router-solicit]
configure mobile-gateway pdn 1 sx-n4 signaling ibcp triggers ipoe-dhcp

To configure the content of the BNG EP in the BNG profile, use the entry-point command in the config>mobile>profile>bng context.

The following example shows a BNG profile EP configuration.

config>mobile>profile>bng>
----------------------------------------------
    entry-point "e1"
                    match 1 attribute up-ip
                    exit
                    entry "10"
                        ipoe
                            ipoe-profile "mydefault"
                            authentication-flow
                                adb "adb1" "adb2"
                            exit
                        exit
                        match
                            up-ip 172.16.10.50
                        exit
                        pppoe
                            pppoe-profile "pppoeProf1"
                            authentication-flow
                                pap-chap-adb "adb3" "adb4"
                            exit
                        exit
                        no shutdown
                    exit
                    no shutdown
----------------------------------------------

Authentication database (ADB)

Each ADB entry contains three groups of configuration parameters:

  • match criteria
  • action parameters
  • session creation parameters (for example, sla-profile)

After the MAG-c chooses the best matched entry in the ADB, the MAG-c executes the configured action. The action can be any of the following types:

  • reject

    The session authentication fails and no subsequent ADB lookups are performed, even if they are configured as part of the authentication flow.

  • accept

    The MAG-c includes the session creation configuration parameters of the chosen ADB entry for the session creation.

  • radius

    The MAG-c performs the RADIUS authentication using the RADIUS authentication profile. Configure the RADIUS authentication profile using the radius-authentication-profile command in the config>mobile>profile>bng context. If the RADIUS authentication succeeds, the MAG-c includes the returned RADIUS authentication attributes and the session creation configuration parameters for the session creation. If the RADIUS authentication fails, the session authentication fails.

  • local_auth

    The MAG-c performs a PAP/CHAP authentication using the configured username and password in the ADB entry for the PPPoE session. Configure the username using the username command in the config>mobile>profile>adb>entry>match context. Configure the password using the action local-auth command in the config>mobile>profile>adb>entry context.

The MAG-c uses the session creation configuration parameters of all ADBs. The authentication flow contains an ordered list of ADBs. If ADBx comes before ADBy in the ordered list of ADBs, the values of the parameters in ADBy have priority over the values of the parameters in ADBx. For example, an authentication flow contains two ADBs, ADB1 and ADB2. If the matched entry in ADB1 returns sla-profile foo, and the matched entry in ADB2 returns sla-profile bar, a new session is created with sla-profile bar.

If a session creation configuration is not explicitly configured (for example, it equals the default value), the ADB lookup returns no value for this configuration. For example, an authentication flow contains two ADBs, ADB1 and ADB2. If ADB1 returns sla-profile bar, and the matched entry in ADB2 does not contain an explicit configuration for sla-profile (it equals the default value), a new session is created with sla-profile bar.

Some session creation configuration parameters support a special discard keyword. The discard keyword means that the previously returned ADB value for the attribute must be discarded. For example, an authentication flow contains two ADBs, ADB1 and ADB2. If ADB1 returns a value for bng-charging-profile, and ADB2 returns discard for bng-charging-profile, the MAG-c creates the session without bng-charging-profile.

Authentication flow

An authentication flow contains the following configuration items:

  • trigger packet type; for example, DHCPv4 discovery or PPPoE PADI packet
    Note: For FWA session, the trigger packet type is not explicitly configured. It is always the first session establishment message, such as a GTP Create Session Request message.
  • ordered list of one or more ADBs for the specified trigger packet type

When the BNG-UP sends a trigger packet, the MAG-c performs a lookup in each ADB in the list, in the specified order. Each ADB can return session-related configurations. These session-related configurations can be locally configured or returned from an external AAA server.

An IPoE or FWA session has only one authentication flow. A PPPoE session requires at least one of the following independent authentication flows:

  • PADI
  • PAP/CHAP

If an ADB lookup fails, the session setup fails. The ADB lookup may fail, for example, if an entry is matched with an action reject or if there is an AAA authentication failure.

If all lookups complete successfully, the MAG-c continues session setup using the combined configurations from all ADB lookups. For example, the BNG EP lookup returns two authentication flows for a new PPPoE session. The authentication flows return the following configuration:

  • PADI authentication flow with 1 ADB: ADB1 returns PADO delay value
  • PAP/CHAP authentication flow with 2 ADBs: ADB2 configures RADIUS authentication, ADB3 returns a local address pool

In this example, the MAG-c uses the combined configuration result from the three ADB lookups to set up the PPPoE session.

Each session requires an APN for service selection, as described in Service selection. The APN can also provide override for specific configurations. If different types of sources return the same type of configuration (for example, an address pool name), the MAG-c uses the value of the source with the highest ranking. The sources are ranked as follows, with the highest ranked first:

  1. AAA
  2. Local ADB
  3. APN

If different sources of the same type (for example, different ADBs) return the same type of configuration, the MAG-c uses the last returned value. For example, if both ADB-1 and ADB-N return an SLA profile name, and ADB-1 returns SLA profile name X and ADB-N returns SLA profile name Y, the system uses SLA profile name Y because it is the last returned value.

BNG EP and ADB lookup

Both the BNG EP entries and the ADB entries contain session configuration and one or more ordered match criteria. The match criteria are used in the lookup. The session configuration is used in the creation of the session.

Match criteria properties

Match criteria have the following properties:
  • match-id

    The match ID defines the priority. The lower the ID, the higher the priority.

  • attribute

    The attribute defines the name of the attribute that is used for the lookup. It is the name of a session attribute. The attribute can be a control protocol field (for example, DHCP option 82 circuit-id, vendor-class) or metadata of the session (for example, l2-access-id).

  • value

    The value defines the criteria value to which the session value must match for the specified attribute. If the attribute is optional, the value can be empty, meaning any session value matches with the criteria value.

  • optional

    Match criteria can be optional or mandatory. The attribute of optional criteria does need to be present in the session data to match the entry. If the attribute of optional criteria is present in the session data, the session value must equal the criteria value to match the entry. An attribute that is not present in the entry can have any value in the session (including not available).

  • string-mask

    A string mask is applied to the value of the session attribute before comparing it with the value of the criteria. It can be used for supported attributes (for example, l2-access-id).

The string mask can be length-based or string-based and can be a suffix or a prefix, as follows:

  • prefix
    • length-based

      The MAG-c removes the specified number of characters from the beginning of the session value.

    • string-based

      The MAG-c removes the specified string from the beginning of the session value. An asterisk (*) can be used as a wild-card in the string mask.

  • suffix
    • length-based

      The MAG-c removes the specified number of characters from the end of the session value.

    • string-based

      The MAG-c removes the specified string from the end of the session value. An asterisk (*) can be used as a wild-card in the string mask.

The following examples show the string that is used to compare the session value of l2-access-id with the criteria value for a specific string mask configuration. Assume that the session value of l2-access-id equals 1/2/3.
  • For stringmask equal to prefix length 2, the MAG-c removes the first two characters of the session value. The resulting value 2/3 is used to match with the end of the criteria value; for example, the resulting value 2/3 matches with the criteria value 4/2/3.
  • For stringmask equal to suffix string "/*”, the MAG-c removes the last slash (/) and everything after it at the end of the session value. The resulting value 1/2 is used to match with the beginning of the criteria value; for example, the resulting value 1/2 matches with the criteria value 1/2/4.

Default entries

If a BNG EP entry or an ADB entry does not have any match criteria, this BNG EP entry or ADB entry is the default entry. The MAG-c chooses the default entry when there is no other matched entry. Only one default entry is allowed for the BNG EPs and for the ADBs.

Entry matching

Entries of a BNG EP or of an ADB cannot have the same set of match criteria within the same BNG EP or ADB. In this case, the entry becomes operationally down. The system does allow entries with the same match criteria in different BNG EPs or ADBs.

During a BNG EP or ADB lookup, the MAG-c compares the attributes of the session with the match criteria of all entries in the BNG EP or in the ADB and creates a list of all matched entries. A matched entry is one for which all mandatory match criteria are fulfilled.

At the end of the lookup, the MAG-c chooses the best matched entry from the list of all matched entries for session creation. The MAG-c chooses an entry from the list as following:
  • If the list of all matched entries contains only one entry, that entry is the best match.
  • If the list of all matched entries contains more than one entry, the MAG-c reduces the list to the entries with the highest number of match criteria. If this list contains only one entry, that entry is the best match.
  • If the reduced list of entries with the highest number of match criteria contains more than one entry, the MAG-c selects the entry with matches for the highest priority attributes.

Example mandatory and optional match criteria

As an example, the match criteria for an ADB entry contain the attribute l2-access-id (marked optional) and the attribute up-ip (mandatory). To call the ADB entry a matched entry, one of the following must be true.

  • Both up-ip and l2-access-id are present in the session and both match the values in the ADB entry.
  • Only up-ip is present in the session and it matches the value in the ADB entry.

If both l2-access-id and up-ip are present in the session, but only l2-access-id matches the value in the ADB entry, the ADB entry is not a matched entry.

Example entry matching and selection

The following output defines the configuration of four ADB entries.

----------------------------------------------
#first match criteria is UP's IP address 
                match 1 attribute up-ip 
                    optional
                exit
#2nd match criteria is Layer 2 access ID
                match 2 attribute l2-access-id
                    optional
                exit
#3rd match criteria is SVLAN
                match 3 attribute s-vlan
                    optional
                exit
                entry "10"
                    match
                        l2-access-id "1/1/2"
                        up-ip 172.16.10.50
                        vlan
                            s-vlan start 100 end 200
                        exit
                    exit
                    subscriber-mgmt
                        sla-profile "entry10"
                        sub-profile "entry10"
                    exit
                    no shutdown
                exit
                entry "20"
                    charging
                        bng-charging-profile "mybngcharging"
                    exit
                    match
                        l2-access-id "1/1/2"
                        up-ip 172.16.10.50
                    exit
                    subscriber-mgmt
                        sla-profile "entry20"
                        sub-profile "entry20"
                    exit
                    no shutdown
                exit
                entry "30"
                    match
                        l2-access-id "1/1/2"
                        vlan
                            s-vlan start 100 end 200
                        exit
                    exit
                    subscriber-mgmt
                        sla-profile "entry30"
                        sub-profile "entry30"
                    exit
                    no shutdown
                exit
                entry "40"
                    match
                        vlan
                            s-vlan start 100 end 200
                        exit
                    exit
                    subscriber-mgmt
                        sla-profile "entry40"
                        sub-profile "entry40"
                    exit
                    no shutdown
                exit
                no shutdown
----------------------------------------------

A new session has the following attributes and values:

  • up-ip with value 172.16.10.50
  • l2-access-id with value 1/1/2
  • s-vlan with value 100

The session matches with all ADB entries. The MAG-c chooses the entry 10 because it has the highest number of matching criteria; that is, three matching criteria.

Assume the entry 10 is shut down. Both the entries 20 and 30 have the highest number of matching criteria; that is, two matching criteria. The MAG-c chooses the entry 20 because it has the matching criteria with the highest priority; that is, up-ip.

Assume all entries except 40 are shutdown. The MAG-c chooses the only matching entry; that is, the entry 40.

Required minimal configuration for a session creation

To create a session, the MAG-c requires a minimal number of session creation configuration parameters. The table lists the parameters that are required for session creation, as well as the source that contains those parameters.

Table 1. Minimal configuration for a session creation
Configuration Source
ipoe-profile (IPoE session only) BNG EP
pppoe-profile (PPPoE session only) BNG EP
authentication-flow (fixed access) BNG EP
authentication-flow (FWA) APN
APN ADB, RADIUS
address-assignment ADB, RADIUS
sla-profile1, 2 ADB, RADIUS
sub-profile1, 2 ADB, RADIUS
group-interface-template1, 2 ADB, RADIUS
sap-template1, 2 ADB, RADIUS

RADIUS authentication profile

RADIUS authentication is performed when the action parameter in the best matched ADB entry equals radius. The RADIUS authentication profile defines the behavior of the RADIUS authentication. To define the profile, use the radius-authentication-profile command in the config>mobile>profile>bng context.

RADIUS authentication is triggered by ADB lookup, which means it is possible to have multiple rounds of RADIUS authentications during the authentication flow lookup. If during multiple rounds, the same attributes are returned in the Access-Accept message, the last attribute received is used.

A RADIUS authentication profile contains the following configuration commands:

  • radius-group

    The radius-group command contains RADIUS server configuration such as address, port, and shared secret. To define the RADIUS server configuration, use the radius-group command in the config>mobile>profile context. Afterwards, reference this radius-group in the config>mobile>profile>bng>radius-authentication-profile context.

  • user-name-format

    The user-name-format command defines the username format for the RADIUS server. To define the username format, use the user-name-format command in the config>mobile>profile>bng>radius-authentication-profile context.

  • password

    The password command defines the password of the RADIUS user. To define the password, use the password command in the config>mobile>profile>bng>radius-authentication-profile context.

  • include-attribute

    The include-attribute command defines the RADIUS attributes to be included in an Access-Request message. To define the attributes to be included, use the include-attribute command in the config>mobile>profile>bng>radius-authentication-profile context.

The username and password configuration is required for IPoE authentication, PPPoE PADI authentication, and FWA authentication if no PAP/CHAP credentials are provided during FWA session setup.

RADIUS CoA and DM

A RADIUS CoA or a DM message asks for changes in the session or subscriber object.

To enable support for RADIUS CoA and DM messages, use the interface command in the config>mobile>pdn>bng>radius-coa context.

The interface defines one or more listening interfaces for incoming CoA and DM messages, and the shared secrets.

When the MAG-c receives a CoA or DM message, it makes the requested change to the target object. The CMG BNG CUPS RADIUS Attributes list defines the message attributes that can be used to identify one or multiple sessions as target object. Filter on the value yes for the CoA key column to find those attributes in the list. If a subscriber is specified in the request, the MAG-c applies the requested changes to all sessions of the targeted subscriber.

The CoA message contains one or more attributes that define the requested changes; for example, the Alc-SLA-Prof-Str VSA defines a new sla-profile for the target object. For more information about the supported attributes, see the CMG BNG CUPS RADIUS Attributes.

If the MAG-c applies all requested changes successfully to all targeted objects, the MAG-c sends a CoA-ACK message. If the MAG-c can only apply the requested changes partially or only on a subset of the target objects, the MAG-c sends a CoA-NAK message with an ERROR-CAUSE code 506, and rolls back the changes as follows.

  • If the change request is for multiple attributes on a single session and only part of the attribute changes are successful, the MAG-c sends a CoA-NAK message with an ERROR-CAUSE code 404, and rolls back the already applied changes.
  • If the change request is for multiple attributes on multiple sessions and the changes are only successful for a part of all the target sessions, the MAG-c sends a CoA-NAK message with an ERROR-CAUSE code 506, and rolls back the applied changes for the sessions that were only partially changed. For example, a CoA message requests to change three attributes on five sessions. The MAG-c successfully applies all attribute changes on session 1, session 2, and session 3, but only applies one attribute change successfully on session 4 and session 5. The MAG-c sends a CoA-NAK message and rolls back the attribute change on session 4 and session 5.

A DM message only contains target objects. The MAG-c removes the sessions of the target objects and sends an ACK message. If the target objects do not exist, the MAG-c sends a CoA-NAK message with ERROR-CAUSE code 503.

If a CoA or DM message contains an unsupported attribute, the MAG-c rejects the request with a CoA-NAK message by default. To ignore unsupported attributes, use the ignore-unknown-attributes command in the config>mobile>pdn>bng>radius-coa context.

Example configuration

The example configuration in this section is for the following setup:

  • IPoE session
  • RADIUS authentication
  • address pool pool-up-1 for sessions from BNG-UP 1.1.1.1
  • address pool pool-up-2 for sessions from BNG-UP 2.2.2.2
  • sla-profile basic, sub-profile basic, and authentication with radius-auth-profile-1 for sessions with s-vlan 100
  • sla-profile premium, sub-profile premium, and authentication with radius-auth-profile-2 for sessions with s-vlan 200

To achieve the above setup, an authentication flow with three ADBs is used. In this example, the following is returned.

  • ADB adb1 only returns the address pool.
  • ADB adb2 only returns the sla-profile and the sub-profile, and performs RADIUS authentication.
  • ADB adb3 returns the other configuration parameters.

The following example shows the ADB configuration.

  authentication-database "adb1"
      match 1 attribute up-ip
      exit
      entry "up-1"
          address-assignment
              local-dynamic
                  ipv4-pool "pool-up-1"
              exit
          exit
          match
              up-ip 1.1.1.1
          exit
          no shutdown
      exit
      entry "up-2"
          address-assignment
              local-dynamic
                  ipv4-pool "pool-up-2"
              exit
          exit
          match
              up-ip 2.2.2.2
          exit
          no shutdown
      exit
      no shutdown
  exit
  authentication-database "adb2"
      match 1 attribute s-vlan
      exit
      entry "basic"
          action radius radius-authentication-profile "radius-auth-profile-1"
          match
              vlan
                  s-vlan start 100 end 100
              exit
          exit
          subscriber-mgmt
              sla-profile "basic"
              sub-profile "basic"
          exit
          no shutdown
      exit
      entry "premium"
          action radius radius-authentication-profile "radius-auth-profile-2"
          match
              vlan
                  s-vlan start 200 end 200
              exit
          exit
          subscriber-mgmt
              sla-profile "premium"
              sub-profile "premium"
          exit
          no shutdown
      exit
      no shutdown
  exit
  authentication-database "adb3"
      entry "default"
          apn "mybngvrf"
          interface
              group-interface-template "defaultgroup"
              sap-template "defaultsap"
          exit
          no shutdown
      exit
      no shutdown
  exit

The following example shows the configuration of the BNG EP.

*A:BNG-CPF>config>mobile>profile>bng# info
----------------------------------------------
                entry-point "e1"
                    entry "10"
                        ipoe
                            ipoe-profile "mydefault"
                            authentication-flow
                                adb "adb1" "adb2" "adb3"
                            exit
                        exit
                        no shutdown
                    exit
                    no shutdown
                exit

The following example shows the reference to the BNG EP in the config>mobile>pdn>sx-n4>signaling>ibcp context.

*A:BNG-CPF>config>mobile>pdn>sx-n4# info
----------------------------------------------
                pfcp-association-list "pfcpassoc1"
                interface
                    pfcp "system"
                    ibcp "system"
                exit
                signaling
                    pfcp
                        profile "pfcppro-1"
                    exit
                    ibcp
                        bng-entry-point "e1"
                        triggers ipoe-dhcp
                    exit
                exit

Web portal authentication

The BNG supports the WPP protocol to authenticate broadband or WLAN users on a web portal.

Web portal authentication uses the WPP protocol between a BNG and a web portal server for broadband or WLAN users. The user provides a username and password on the portal page and the web portal triggers the BNG to perform RADIUS authentication with the specified credentials.

WPP call flow example

The following figure shows a high-level call flow example of WPP authentication for a client using DHCPv4 on a BNG CUPS system.

Figure 1. WPP on BNG CUPS call flow example
  1. The client sends a DHCP discovery packet. The BNG-UP forwards it to the MAG-c. The MAG-c authenticates the packet via the authentication flow. The authentication returns two sets of SLA profile and subscriber profile, that is, initial profiles and after-auth profiles.
    • Initial profiles are used for the client before portal authentication. The SLA profile includes a filter that contains an HTTP redirection entry to the portal.
    • After-auth profiles are used for the client after portal authentication.
    The authentication returns the following key WPP attributes:
    • a WPP RADIUS authentication profile, used in step 8.
    • an HTTP redirection URL
  2. The MAG-c creates a session on the BNG-UP with the initial profiles and the redirection URL via PFCP.
  3. The client finishes DORA with the MAG-c.
  4. The client sends an HTTP request.
  5. Because of the redirection filter in the initial SLA profile, the BNG-UP intercepts the HTTP request and sends an HTTP 302 redirection response.
  6. The client is redirected to the portal. The user provides user credentials (for example, username and password).
  7. The portal sends the user credentials in a WPP request message to the MAG-c.
  8. The MAG-c sends a RADIUS authentication request to the RADIUS server with the user credentials received in the WPP request.
  9. The RADIUS server successfully authenticates the request and sends an Access Accept message. Optionally, the RADIUS server includes an SLA profile and a subscriber profile in the Access Accept message. Those profiles are after-auth profiles that override the after-auth profiles of step 1.
  10. If the RADIUS server sent after-auth profiles in the Access Accept message of step 9, the MAG-c modifies the session with those profiles.
  11. The MAG-c and the web portal exchange WPP Ack messages.
  12. The web portal returns a login successful page to the client.
  13. Optionally, the MAG-c starts RADIUS accounting.

Variables in the HTTP redirection URL

The initial authentication returns an HTTP redirection URL that optionally contains one or multiple variables. The variables are replaced with session-specific values. The supported variables are:

  • $IP — the IPv4 or IPv6 address that triggers the WPP authentication
  • $MAC — the MAC address
  • $URL — the original requested URL
  • $SAP — the Layer 2 access ID and the VLAN tags
  • $SUB — the subscriber ID as a string
  • $CID — the circuit ID, or the interface ID of the subscriber host (in hexadecimal format)
  • $RID — the remote ID of the subscriber host (hexadecimal format)
  • $SYSNAME — CPF_SYSTEM_NAME:UPF_IP

For example, when the initial authentication returns http://www.example.com/login?sub=$SUB, and the subscriber ID for the session equals sub1, the actual URL is http://www.example.com/login?sub=sub1

HTTP redirection URL override

If the initial authentication contains RADIUS authentication, and the Access Accept message contains the Alc-Portal-Url RADIUS attribute, the value of the RADIUS attribute is used for HTTP redirection. The URL in the Alc-Portal-Url RADIUS attribute overrides the locally configured HTTP redirection URL.

Portal group

You can configure up to eight WPP portals in a portal group. The MAG-c can receive WPP requests from any of the configured portals in the portal group.

When the BNG initiates a WPP NTF_LOGOUT message, it sends the NTF_LOGOUT message to all configured portals in the portal group. The first received ACK_LOGOUT stops the retransmission of the NTF_LOGOUT message.

A WPP portal group can be used to achieve WPP portal redundancy taking into account the following.
  • A portal can only be configured in one portal group.
  • A portal can be in a portal group and at the same time be used as an individual portal.
  • Portals supporting different WPP versions (version 1 and version 2) are allowed in the same portal group.

WPP port attribute

The MAG-c uses the WPP port attribute in the WPP protocol messages to identify the port of the session.

The format of the WPP port attribute is CPF_SYSTEM_NAME#UPF_ADDR#L2_ACCESS_ID:VLAN1.VLAN2. If the length of the result string exceeds 35 chars, the system truncates it to the first 35 chars.

For example, CUPSBNG1#2.2.2.2#1/2/10:100.200, where
  • SAP (the Layer 2 access ID and the VLAN tags) = 1/2/10:100.200
  • BNG-UP address = 2.2.2.2
  • MAG-c system name = CUPSBNG1

Configuring WPP

To configure a minimal WPP configuration, define a WPP listening interface, a WPP portal, a portal group, a RADIUS authentication profile, and configure WPP in the ADB entry.

The steps in this procedure define a minimal WPP configuration.

  1. Configure a WPP listening IP interface.

    Use the interface command in the config>mobile>pdn>bng>wpp context.

  2. Define a WPP portal.

    Use the portal command in the config>mobile>profile>bng>wpp context.

  3. Define a portal group and include a reference to the portal defined in the previous step.

    Use the portal-group command in the config>mobile>profile>bng>wpp context.

  4. Define a RADIUS authentication profile.

    Use the radius-authentication-profile in the config>mobile>profile>bng context.

  5. Configure the WPP context in an ADB entry.
    Use the following commands in the config>mobile>profile>adb>entry>wpp context.
    • Use the portal-group command to reference the portal group defined in step 3.
    • Use the wpp-radius-authentication command to reference the RADIUS authentication profile defined in step 4.
    • Use the initial-profiles command to specify the names of the initial SLA and subscriber profiles.
    • Use the no shutdown command to enable the WPP entity in the ADB entry.
  6. Configure the HTTP redirection URL in an ADB entry.
    Use the http-redirect url command in the config>mobile>profile>adb>entry context.
  7. Configure the after-auth profiles in an ADB entry.
    Use the subscriber-mgmt command in the config>mobile>profile>adb>entry context to define the after-auth SLA and subscriber profiles.
*A:BNG-CPF>config>mobile>pdn>bng>wpp# info
----------------------------------------------
                        interface router "Base" name "system"
----------------------------------------------
*A:BNG-CPF>config>mobile>profile>bng>wpp# info
----------------------------------------------
                    portal "p1"
                        address 2001:beef::1
                        router "Base"
                        source-address 2001:dead::1
                        no shutdown
                    exit
                    portal-group "g1"
                        realm "mybngvrf"
                        portal "p1"
                        no shutdown
                    exit
----------------------------------------------
*A:BNG-CPF>config>mobile>profile>adb>entry# info
----------------------------------------------
                    apn "mybngvrf"
                    dhcp-profile "mydefault"
                    http-redirect
                        url "http://www.exampleportal.com"
                    exit
                    address-assignment
                        local-dynamic
                            ipv4-pool "p1"
                        exit
                    exit
                    interface
                        group-interface-template "defaultgrp"
                        sap-template "defaultsap"
                    exit
                    subscriber-mgmt
                        sla-profile "base"
                        sub-profile "base"
                    exit
                    wpp
                        portal-group "g1"
                        wpp-radius-authentication "wpp-rad"
                        initial-profiles
                            sla-profile "ini-sla"
                            sub-profile "ini-sub"
                        exit
                        no shutdown
                    exit
                    no shutdown
----------------------------------------------
1 Required when using a Nokia BNG-UP.
2 If the BNG-UP contains a template or a profile with the name default, the default template or profile is used when the authentication does not return a template or profile. If the BNG-UP does not contain a specific template or profile with the name default, the configuration of the parameters is required.