ESM parameters (ESM strings and other IP parameters) obtained during authentication and re-authentication phases are combined from various sources with a specific preference order as follows:
ESM Python (set.esm function)
Diameter/Gx
LUDB
RADIUS
Diameter/Nasreq
LocalAddressAssignment
GTP
DHCP
DHCP parameters that came from standard DHCP options returned by the DHCP server directly
Information extracted from options (strings-from-options). This is applicable for IPoE and PPPoE (DHCP client) that use a local DHCP server with LUDB.
DHCP ACK Python
defaults, if any
For example, if the same ESM parameter is provided through both authentication sources, LUDB and RADIUS, the ESM parameter from LUDB always overrides the ESM parameter obtained from RADIUS.
SR OS allows the priority of LUDB and RADIUS sources to be reversed. This prioritization of authentication sources, where RADIUS is granted priority over LUDB, ensures that parameters from LUDB are used as a backup, only in cases where the same ESM parameters are not provided by RADIUS.
The settings that allow swapping of the LUDB and RADIUS priorities as authentication sources are configured on the system level as follows.
Classic CLI:
subscriber-mgmt
authentication-origin
[no] priority <id> source <string>
exit
exit
The only accepted configuration option is id 3 and RADIUS as the source string. This configuration moves RADIUS to position 3 and shifts everything from the previous position 3 downward.
The defaults are restored by using the no form of the priority command.
The active order of priorities can be displayed in the output of the show>subscr-mgmt>authentication-origin command:
*A:cses-V26>config>subscr-mgmt>auth-orig# show subscriber-mgmt authentication-origin
===============================================================================
Authentication Origins
===============================================================================
Priority Source
-------------------------------------------------------------------------------
1 python
2 diameterGx
3 ludb
4 radius
5 diameterNasreq
6 localAddressAssignment
7 gtp
8 dhcp
-------------------------------------------------------------------------------
Number of Authentication Origins : 8
===============================================================================
*A:cses-V26>config>subscr-mgmt>auth-orig# priority 3 source radius
*A:cses-V26>config>subscr-mgmt>auth-orig# show subscriber-mgmt authentication-origin
===============================================================================
Authentication Origins
===============================================================================
Priority Source
-------------------------------------------------------------------------------
1 python
2 diameterGx
3 radius
4 ludb
5 diameterNasreq
6 localAddressAssignment
7 gtp
8 dhcp
-------------------------------------------------------------------------------
Number of Authentication Origins : 8
===============================================================================
*A:cses-V26>config>subscr-mgmt>auth-orig#
The following describes the configuration logic where both LUDB and RADIUS are accessed during authentication phase:
LUDB is referenced under the capture SAP (if the capture SAP is deployed) and the group interface (DHCP, DHCP6, or PPPoE).
The authentication policy is referenced in LUDB (and not under the capture SAP and group interface).
With this approach, LUDB is accessed first and subscribers can be authenticated based on generic criteria, such as a range of VLANs or a default user. The ESM parameters obtained in this step are stored.
After LUDB authentication, RADIUS is accessed when authentication on subscriber-specific authentication fields is performed (for example, based on a username, circuit-id, MAC address, and so on). During this RADIUS authentication phase, another set of ESM parameters more tailored for the specific user is obtained, effectively overriding the overlapping parameters from LUDB.