Local authentication is available for data-triggered dynamic services deployments where RADIUS is used for accounting and dynamic changes (CoA) but cannot provide the actual service provisioning parameters.
When a valid Ethernet frame is received on a dynamic services data trigger capture SAP, it is sent to the control plane for authentication. The dynamic services policy configured at the capture SAP specifies the local authentication parameters, as shown in the following example:
configure service
vpls 10 customer 1 create
sap 1/1/4:1214.* capture-sap create
description "Dynamic Services Data Trigger capture-sap"
dynamic-services
dynamic-services-policy "dyn-svc-2"
no shutdown
exit
no shutdown
exit
no shutdown
exit
dynamic-services
dynamic-services-policy "dyn-svc-2" create
---snip---
authentication
local-auth-db "dynsvc-db-1"
exit
---snip---
exit
exit
Local authentication and RADIUS authentication are mutually exclusive and cannot be configured simultaneously in a config>service>dynsvc>plcy>authentication context.
The local-auth-db CLI command references the local authentication database to be used for authentication, as shown in the following example:
configure service
dynamic-services
local-auth-db "dynsvc-db-1" create
user-name "1/1/4:1214.101" create
description "dynsvc: epipe"
index 1 create
dynamic-services-policy "dyn-svc-2"
sap-id "1/1/4:1214.101"
script-parameters-1 "epipe_1={'t':('dynsvc-epipe-1',None,None,10,11)}"
accounting 1 create
stats-type volume-time
update-interval min 30
exit
exit
no shutdown
exit
no shutdown
exit
exit
A username is used as a key for a lookup in the local authentication database. The username format for dynamic service data triggers is fixed to the SAP ID of the data trigger. For each username entry (data trigger sap-id), multiple dynamic service SAPs can be specified (indexes). The index enables multiple dynamic service SAPs to be associated with a single dynamic service data trigger.
The following data can be specified for each index (dynamic service SAP) in a user-name entry:
dynamic service sap-id (mandatory)
The dynamic service SAP ID that is created. The SAP ID of one of the indexes must match the dynamic service data trigger sap-id.
dynamic-services-policy dynsrv-policy-name (optional)
Specifies the policy to use for setting up the dynamic service. If not specified, the policy provisioned at the dynamic service data trigger capture-sap is used.
script-parameters (mandatory)
Script parameters are used as input to the dynamic data service Python script. They are specified as four strings of up to 250 characters each. The concatenation of all four script parameter strings are passed to the Python script and must be formatted as function-key dictionary. The function-key specifies which Python functions is called, and dictionary contains the actual parameters in a Python dictionary structure format. The format should match the format of the [26-6527-165] Alc-Dyn-Serv-Script-Params attribute when RADIUS authentication is used.
accounting overrides (optional)
For each of the two RADIUS accounting destinations, the stats-type and update-interval can be specified. These parameters override the configured value in the dynamic services policy:
stats-type specifies if dynamic service RADIUS accounting should be enabled or disabled. RADIUS accounting is enabled by specifying the statistics type: volume and time or time only. RADIUS accounting is disabled when no stats-type is specified.
update-interval specifies the time between each dynamic data service accounting interim update. The generation of interim accounting updates is disabled when no update-interval is specified.
A local authentication database can only be used to authenticate a dynamic service data trigger and provide parameters to set up associated dynamic services. The script action cannot be specified and is always set to ‟setup”.
The setup timeout for Access=Accept (CLI command: configure service dynamic-services timers setup-timeout access-accept timeout) also applies for local authenticated dynamic services.