When RADIUS authentication for subscriber sessions is enabled, DHCP messages from subscribers are temporarily held by the BSA, while the user’s credentials are checked on a RADIUS server.
Configuring RADIUS authentication for subscriber sessions is done in two steps:
First define an authentication-policy in the config>subscriber-mgmt>authentication-policy context.
Then apply the policy to one or more SAPs in the config>service>vpls>sap>authentication-policy auth-plcy-name context (for a VPLS service).
Or apply the policy to one or more interfaces config>service>ies>if>authentication-policy auth-plcy-name context (for an IES service):
The following example displays a partial BSA configuration with RADIUS authentication:
A:ALA-1>config>service# info
----------------------------------------------
subscriber-management
authentication-policy BSA_RADIUS create
description "RADIUS policy for DHCP users Authentication"
password "mysecretpassword"
radius-authentication-server
server 1 address 10.100.1.1 secret "radiuskey"
retry 3
timeout 10
exit
re-authentication
user-name-format circuit-id
exit
exit
...
vpls 800 customer 6001
description "VPLS with RADIUS authentication”
sap 2/1/4:100 split-horizon-group DSL-group create
authentication-policy BSA_RADIUS
exit
sap 3/1/4:200 split-horizon-group DSL-group create
authentication-policy BSA_RADIUS
exit
no shutdown
exit
...
----------------------------------------------
A:ALA-1>config>service#