A local user data base defines a collection of host entries. There are two types of hosts: PPP and IPoE. A local user database can be used to:
Authenticate PPP clients. For this only the host entries configured in the ppp CLI are matched.
Authenticate IPoE hosts (DHCPv4, DHCPv6 IA-NA/IA-PD, SLAAC). The host entries configured in the ipoe CLI context are matched.
Perform authentication and address management for the local DHCPv4 server. For this, both PPP and IPoE sections can be used depending on the client type indicated by a vendor-specific sub-option inside Option 82 of the DHCPv4 message.
Each host can be identified by a set of values. However, at any point in time only four of these values are considered for IPoE as defined by the ipoe match-list option and only three are considered for PPP as defined in the ppp match-list option.
When trying to find a matching host entry, attempts are made to match as many items as possible. If several hosts match an incoming IPoE packet, the one with most match criteria is taken.
One host entry can map on several physical clients. For instance, when using a circuit ID, by masking when the interface ID is used, the host entry is used for all the clients on that same interface.
IPoE host identification includes:
circuit ID
This field also matches the DHCPv6 interface-id field
MAC address
remote ID
Matches on the remote-id sub-option in option 82 for DHCPv4 clients and on the remote-id option (including enterprise-id field) for DHCPv6 clients
Option 60 from DHCPv4 message
Only first 32 bytes are looked at
SAP ID
service ID
string from vendor-specific sub-option of Option 82
system ID
derived-id
a string provided via a DHCP Python script
dual-stack-remote-id
matches on the remote-id sub-option in option 82 for DHCPv4 clients and on the remote-id field in the remote-id option (without enterprise-id) for DHCPv6 clients
encap-tag-range
matches on VLAN tag ranges
IP
matches on the source IPv4/IPv6 address of a data-trigger packet
PPP host identification includes:
circuit ID
MAC address
remote ID
username, either complete username, domain part only, or host part only
derived ID
a string provided by Python script
When a host cannot be inserted in the lookup database, it is placed in an unmatched-hosts list. This can occur because
Another host with the same host-identification exists. Only the host-identification that is specified in the match-list is considered.
A host has no host-identification specified in the match-list.
When used for PPPoE-authentication, the fields are used as follows:
password
Verifies the PPPoE user password. This is mandatory. If no password is required then it must be explicitly set to ignore.
address
no address
No address information. The address must be obtained by other means, either RADIUS or DHCP server.
gi-address
No meaning in this context. The address must be obtained by other means, either RADIUS or DHCP server.
use-pool-from-client
No meaning in this context. The address must be obtained by other means, either RADIUS or DHCP server.
pool-name
The address must be obtained by other means, either RADIUS or a DHCP server. When a DHCP server is used, this pool name is included in Option 82 vendor-specific sub-option.
ip-address
This IP address is offered to the client.
identification-strings
Returns the strings used for enhanced subscriber management (ESM).
options
Only DNS servers and NBNS server are used, others are ignored.
When used from the DHCP server, the following applies:
password
Not used.
address
Defines how the address must be allocated for this host.
no address
The host is not allowed. The clients mapping to this host do not get an IP address.
gi-address
Finds the matching subnet and an IP address is taken from that subnet.
pool-name
A free IP address is taken from that pool.
ip-address
This address is offered to the client.
use-pool-from-client
Use the poolname in the Option 82 vendor-specific sub-option. If no poolname is provided there, falls back to the DHCP server default (none or use-gi-address).
identification-strings
The operator can specify subscriber management strings and in which option the strings are sent back in dhcp-offer and dhcp-ack messages.
options
The operator defines which options specific to this host should be sent back in the dhcp-offer and dhcp-ack messages. The options defined here override options defined on the pool-level and subnet-level inside the local DHCP server.
The circuit ID from PPPoE or from Option 82 in IPoE messages can be masked in following ways:
prefix-length
Drop a fixed number of bytes at the beginning of the circuit-id.
suffix-length
Drop a fixed number of bytes at the end of the circuit-id.
prefix-string
The matching string is dropped from the beginning of the circuit-id. The matching string can contain wildcards (*). For example: incoming circuit-id mybox|3|my_interface|1/1/1:22 masked with *|*| leaves my_interface|1/1/1:22.
suffix-string
The matching string is dropped at the end of the circuit-id. For example: incoming circuit-id mybox|3|my_interface|1/1/1:22 masked with |* results in mybox|3|my_interface.
The following is an example of a local user database used for PPPoE authentication:
*A:ALA-48>config>subscr-mgmt# info
----------------------------------------------
...
local-user-db "pppoe user db"
description "pppoe authentication data base"
ppp
match-list username circuit-id
mask prefix-string "*|*|" suffix-string "|*"
host "john" create
host-identification
username "john" no-domain
exit
password pap "23T8yPoe0w1R.BPGHB98i0qhJf7ZlZGCtXBKGnjrIrA" hash2
no shutdown
exit
host "test.com" create
host-identification
username "test.com" domain-only
exit
password ignore
no shutdown
exit
host "john@test.com" create
host-identification
username "john@test.com"
exit
password pap "23T8yPoe0w0Tlf1yCb4hskknvTYLqA2avvBB567g3eQ" hash2
identification-strings 122 create
subscriber-id "john@test.com"
sla-profile-string "sla prof1"
sub-profile-string "subscr profile 1"
ancp-string "ancp string"
inter-dest-id "inter dest"
exit
no shutdown
exit
host "john@test.com on interface group-if"
host-identification
circuit-id string "group-if"
username "john@test.com"
exit
password pap "23T8yPoe0w1R.BPGHB98i0qhJf7ZlZGCtXBKGnjrIrA" hash2
address 10.1.2.3
no shutdown
exit
exit
no shutdown
exit
...
----------------------------------------------
*A:ALA-48>config>subscr-mgmt#
The following are some examples when a user tries to set up PPPoE:
john@test.com tries to set up PPPoE with circuit-id pe_23|3|group-if|1/1/1: host john@test.com on interface group-if match, the PAP password is checked and the IP address 10.1.2.3 is assigned to the PPPoE to use for this host.
john@test.com (on another interface): host john@test.com matches, the PAP password is checked, and identification strings are returned to PPPoE.
nokie@test.com: host test.com matches, no password check, the user is allowed.
john@nokia.com: host john matches and the password is checked.
anybody@anydomain: does not match and is not allowed.
The following is an example of a local user database used for DHCP server for IPoE clients:
*A:ALA-50>config>subscr-mgmt# info
----------------------------------------------
...
local-user-db "dhcp server user db"
description "dhcp server user data base"
ipoe
match-list circuit-id mac
mask prefix-string "*|*|" suffix-string "|*"
host "mac 3 on interface" create
host-identification
circuit-id string "group-if"
mac 00:00:00:00:00:03
exit
address 10.0.0.1
no shutdown
exit
host "maskedCircId" create
host-identification
circuit-id string "group-if"
exit
address pool "pool 1"
identification-strings 122 create
subscriber-id "subscriber 1234"
sla-profile-string "sla prof 1"
sub-profile-string "sub prof 1"
ancp-string "ancpstring"
inter-dest-id "inter dest id 123"
exit
options
netbios-name-server 1.2.3.4
lease-time min 2
exit
no shutdown
exit
exit
no shutdown
exit
...
----------------------------------------------
*A:ALA-50>config>subscr-mgmt#
The following is an access example:
MAC 00:00:00:00:00:03 on circuit-id pe5|3|group-if|1/1/1: host mac 3 on interface is matched and address 10.0.0.1 is offered to the IPoE client.
Another MAC on circuit-id pe5|3|group-if|2/2/2: host maskedCircId is matched and an address is taken from pool1 (defined in the DHCP server). The identification-strings are copied to Option 122 in the dhcp-offer and dhcp-ack messages. The options defined here are also copied into dhcp-offer and dhcp-ack messages.
The circuit-id pe5|3|other_group_if|1/1/3: no host is matched. The client only gets an IP address if on DHCP server level defined the use-gi-address parameter and the gi-address matches a subnet.
The following is an example of a local user database used for a DHCP server, only for PPPoE clients:
If PPPoE does not get an IP address from RADIUS or the local-user-db used for authentication, the internal dhcp-client is used to access a DHCP server which can be in the same node or in another node. These request are identified by inserting Option 82 sub-option client-id in the dhcp-discover and dhcp-request messages. When the DHCP server receives this request and has a user-db connected to it, then the PPPoE section of that user-db is accessed.
*A:ALA-60>config>subscr-mgmt# info
----------------------------------------------
...
local-user-db "pppoe user db"
description "pppoe authentication data base"
ppp
match-list username
host "internet.be" create
host-identification
username "internet.com" domain-only
exit
address "pool_1"
no shutdown
exit
host "john@internet.com" create
host-identification
username "john@internet.com"
exit
identification-strings 122 create
subscriber-id "john@test.com"
sla-profile-string "sla prof1"
sub-profile-string "subscr profile 1"
ancp-string "ancp string"
inter-dest-id "inter dest"
exit
address use-gi
no shutdown
exit
host "malicious@internet.com"
host-identification
circuit-id string "group-if"
username "internet@test.com"
exit
no shutdown
exit
exit
no shutdown
exit
...
----------------------------------------------
*A:ALA-60>config>subscr-mgmt#
The following is an access example:
john@internet.com: GI is used to find a subnet and a free address is allocated form that subnet. Identification strings are returned in Option 122.
anybody@internet.com: pool_1 is used to find a free IP address.
malicious@internet.com: no address is defined. This user does not get an IP address.
The following is an example of associating a local user database to PPPoE for authentication for the 7750 SR.
A:pe5>config>service>vprn#
----------------------------------------------
subscriber-interface "tomylinux" create
address 10.2.2.2/16
group-interface "grp_pppoe3" create
pppoe
e "pppoe"
exit
exit
----------------------------------------------
A:pe5>config>service>vprn#
The following is an example of associating a local user database to a local DHCP server.
A:pe7>config>router>dhcp#
----------------------------------------------
local-dhcp-server my_server
description "my dhcp server"
user-db "data base 1"
...
exit
----------------------------------------------
A:pe7>config>router>dhcp#
In PPPoE access scenarios without access node or with access nodes that do not insert PPPoE vendor specific tags Circuit-ID or Remote-ID, it may be required to configure this information in the local user database so that they can be picked up in pre-authentication phase and used for RADIUS authentication and reporting in RADIUS accounting messages. For example:
config>subscr-mgmt
local-user-db "ludb-1" create
ppp
match-list username
host "host-1" create
access-loop-information
circuit-id string "LUDB inserted circuit-id"
remote-id string "LUDB inserted remote-id"
exit
host-identification
username "cpe-1@domain1.com"
exit
auth-policy "auth-policy-1"
password ignore
no shutdown
exit
exit
With PPPoE, when the system accesses a LUDB during a discovery phase, a matched host could return a second LUDB via a user-db configuration under the LUDB host context. This second database is accessed again during the PAP/CHAP phase. The following is an example:
local-user-db "padi-db" create
ppp
match-list derived-id
host "testuser" create
host-identification
derived-id "testuser"
exit
msap-defaults
group-interface "g1"
service 500
exit
user-db "chap-db"
no shutdown
exit
exit
no shutdown
exit
local-user-db "chap-db" create
ppp
match-list derived-id username
host "testuser" create
host-identification
derived-id "testuser"
username "testuser"
exit
password chap "cYhRmQYWOkLW3s0LrtEnBjWlAwFa/1Kx" hash2
identification-strings 254 create
sla-profile-string "sla-2"
exit
no shutdown
exit
exit
no shutdown
exit