A single authentication is performed for all subscriber hosts that belong to the same IPoE session. Table: IPoE session authentication trigger packets lists the packets that trigger an IPoE session authentication.
| IP stack | Trigger packets |
|---|---|
IPv4 |
DHCPv4 Discover |
DHCPv4 Request |
|
IPv6 WAN |
DHCPv6 Solicit |
DHCPv6 Request |
|
DHCPv6 Relay Forward (Solicit) |
|
DHCPv6 Relay Request (Solicit) |
|
Router Solicitation |
|
IPv6 PD |
DHCPv6 Solicit |
DHCPv6 Request |
|
DHCPv6 Relay Forward (Solicit) |
|
DHCPv6 Relay Request (Solicit) |
When a trigger packet is received on a capture SAP or group-interface with IPoE sessions enabled, an IPoE session lookup is performed based on the configured IPoE session key:
If no IPoE session is found, a new session is created and authenticated following the ESM authentication configuration such as local user database lookup, Radius or Diameter authentication, defaults, and such. After successful authentication, the authentication data is stored in the IPoE session state. The subscriber host is created and associated with the session.
If an IPoE session already exists, and no re-authentication must be performed then the subscriber host is created using the stored IPoE session data. The subscriber host is associated with the session.
If an IPoE session already exists, and re-authentication must be performed then the session is re-authenticated. When successful, the authentication data for the IPoE session is updated and applied to all associated hosts. The subscriber host is created and associated with the session. When unsuccessful, existing hosts associated with the session are not impacted and the session data is kept unchanged.
Re-authentication is by default disabled for IPoE sessions. To enable re-authentication, a minimum authentication interval must be configured. The min-auth-interval CLI parameter configures the maximum frequency of re-authentications by specifying a minimum interval between two non-forced authentications for the same IPoE session. A re-authentication is triggered by the renewal of any host belonging to the IPoE session. Setting the min-auth-interval to zero seconds, always re-authenticates on each trigger packet. The re-authentication command in a RADIUS authentication policy is ignored for IPoE session authentication.
A forced authentication is performed when the Circuit-Id/Interface-Id or Remote-Id in the trigger packet has changed. An empty or absent Circuit-Id/Interface-Id or Remote-Id is not considered as a change. The default forced authentication behavior is changed with the force-auth command in the group-interface>ipoe-session context: only force authenticate on Circuit-Id/Interface-Id change or only force authenticate on Remote-Id change or disable forced authentications.
A new local user database config in the ipoe-session CLI context on a capture SAP or group interface ensures that all subscriber hosts associated with an IPoE session are using the same database and therefore common match criteria. The per subscriber host type user-db configurations, such as ipv6 dhcp6 user-db, dhcp user-db, and rtr-solicit-user-db are ignored when IPoE sessions are enabled.