Navigation
Back up to About Overview
[+] Expand All
[-] Collapse All
A
- access lines 1
- accesses
- configuring subscriptions
- accounting
- anonymous subscriber
- attributes
- authenticated subscriber
- authentication plug-ins
- authorization plug-ins
B
C
- captive portal
- classification scripts
- conditions 1
- configuring
- descriptions
- DHCP classification, C Series Controller
- interface classification, C Series Controller
- structure
- subscriber classification, C Series Controller
- target, C Series Controller
- component interactions
- conventions
- COPS (Common Open Policy Service)
- custom RADIUS accounting plug-ins 1
- configuring
- custom RADIUS authentication plug-ins 1
- configuring
- customer support 1
D
- default retailer authentication plug-ins
- configuring
- default retailer DHCP authentication plug-ins
- configuring
- denial-of-service attacks
- DHCP (Dynamic Host Configuration Protocol)
- address assignment
- classification scripts. See classification scripts
- options
- profiles
- subscribers
- documentation
E
- enterprise
- enterprise subscribers 1
- adding
- enterprise subscribers, login process
- event publishers
- configuring
- default retailer authentication, configuring
- default retailer DHCP authentication, configuring
- description
- retailer-specific
- service-specific
- virtual router-specific
- external plug-ins
- configuring
F
- file upload settings for log rotation
- configuring
- flat file accounting plug-ins 1
- flexible RADIUS accounting plug-ins 1
- attributes, defining
- configuring
- RADIUS packets, defining
- flexible RADIUS authentication plug-ins 1
- attributes, defining
- configuring
- RADIUS packets, defining
- setting responses
- FTP server for log rotation
G
- general properties
- configuring
H
- HTTP proxy 1, 2
- HTTPS traffic
I
- interface classification scripts. See classification scripts
- interim accounting, configuring on SAE
- internal plug-ins
- configuring
L
- LDAP authentication plug-in 1
- configuring
- limiting subscribers plug-in 1
- configuring
- log rotation
- overview
- logging
- login events, description
- login process
- login registration
- configuring
- logout process, residential
M
- managers
- manuals
N
- NAT (Network Address Translation)
- notice icons
P
- plug-ins
- activating service sessions
- authentication
- authorization
- basic RADIUS accounting 1
- basic RADIUS authentication 1
- creating subscriber sessions
- custom RADIUS accounting 1
- custom RADIUS authentication 1
- defining RADIUS packets
- DHCP address assignment
- event publishers. See event publishers
- external
- flat file accounting 1
- flexible RADIUS accounting 1
- flexible RADIUS authentication 1
- internal 1
- LDAP authentication 1
- limiting subscribers 1
- state synchronization
- tracking
- policy groups
- policy management
- PPP subscribers
- prevention, use of unauthorized resources
- protocols
- proxy HTTP 1, 2
- proxy request management
- public addresses, VPNs
Q
R
- RADIUS accounting
- RADIUS attributes
- defining in RADIUS plug-ins
- examples, defining in RADIUS plug-ins
- RADIUS client library, custom RADIUS plug-ins
- RADIUS packets, customizing in plug-ins
- RADIUS peers
- configuring in plug-ins
- RADIUS plug-ins 1, See also plug-ins
- redirect server
- assessing load
- configuration statements
- configuring
- configuring DNS server for
- configuring HTTP proxy support
- configuring redundant
- directory connection
- failover
- file extensions
- logging
- number of requests
- protection against denial-of-service attacks
- redundancy 1, 2, 3
- static route to router
- traffic definition
- verifying
- redundancy
- residential subscribers 1
- adding
- login process. See login process
- retailers
- subscribers 1
- router subscribers 1
- adding
- routing instances
- routing scheme
S
- SAE (service activation engine)
- classification scripts. See classification scripts
- login events
- login process. See login process
- SAE (service activation engine), configuring
- service activation engine. See SAE
- service sessions
- sites 1, 2, 3
- subscriber 1
- state synchronization plug-in interface
- configuring
- static IP subscribers, login process
- static routing
- subscriber classification scripts. See classification scripts
- subscriber folders 1
- adding
- subscriber sessions
- subscribers
- 3gpp attributes (Gx router driver)
- adding
- enterprise 1
- inheriting properties
- inheriting subscriptions
- residential 1
- retailer 1
- router 1
- sessions
- sites 1
- types
- subscriptions 1
- access, configuring
- an orderly deactivation, activation order, specifying
- configuring
- multiple per subscriber
- support, technical See technical support
T
- targets. See classification scripts
- technical support
- text conventions defined
- tracking plug-ins 1
- configuring
U
- UDP ports
- User Datagram Protocol. See UDP
V
- validating
- virtual private networks. See VPNs
- VPNs (virtual private networks)
- adding
- configuration requirements
- configuration statements
- extranet clients, modifying
- invalid subscriptions
- modifying
- routing schemes
- using NAT
- validating
Download This Guide
PPP Subscriber Login and Service Activation
PPP subscribers access the network by using either special PPP or PPP over Ethernet software on their network access device. PPP access provides a means to configure the subscriber’s network access device with several network parameters, including an IP address and a channel for transporting IP packets between the subscriber’s network device and the router.
For subscribers with PPP access, logging in to the network consists of starting the PPP client, and logging out consists of stopping it. On PPP login, the router authenticates the subscriber as normal with a message to a RADIUS server. The router then notifies the SAE that there is a new IP interface on the router. The message to the SAE includes information such as the subscriber’s IP address (if assigned by the router or RADIUS server), PPP login ID, and router interface ID. Using this information, the SAE retrieves the information to construct the default policies. The SAE then activates subscription policies, which are downloaded to the router and applied to the subscriber’s network interface.
Subscribers can log in to the system with different accounts to different retail Internet service providers (ISPs). Subscribers use a different login ID for each account.
PPP requires special software on a network access device. The PPP software must be installed and maintained by the subscriber. The software can interfere with other applications.
Web Login for PPP Subscribers
In a PPP session, an IP address and a subscriber profile are authenticated at the same time. However, for some applications a split of subscriber profile and PPP session is useful; for example:
- Generic PPP account—An ISP could offer generic PPP login names and passwords for everybody and use Web-based login to identify subscribers.
- Device-based PPP—A PPP login may be used between a digital subscriber line (DSL) access device and a router. In this case a PPP login does not correspond to a subscriber session.
- Subaccounts with different services.
As a consequence, the Service Selection Portal (SSP) API allows creation of a Web application that:
- Allows PPP subscribers to log out—When the PPP subscriber logs out, the current subscriber session is closed, all active services are deactivated, and accounting records are generated. The unauthenticated subscriber entry is then associated with the IP address of the subscriber. This process is similar to a DHCP logout.
- Forces an unauthenticated PPP subscriber (that is, a PPP subscriber account that is bound to the unauthenticated subscriber entry or to an anonymous subscriber entry) to log in—The subscriber provides a username, realm (domain), and password. Authentication is processed in the same way as a DHCP login.
PPP Login Interactions
Figure 3 shows the interactions that take place during a PPP login.
Figure 3: PPP Login Interactions
The login sequence is as follows:
- The subscribers initiate a PPP login by starting a PPP client on their network devices.
- The router sends an authentication request to the RADIUS server.
- The RADIUS server sends a user ID query to the directory.
- The directory responds with the data (IP address for the subscriber’s network device) needed to authenticate the login, and then completes the configurations of the interface on the router and on the subscriber’s network device.
- If the authentication succeeds, the RADIUS server responds to the router with a grant message, including the network configuration parameters.
- The configurations of the PPP and IP interfaces on the router and subscriber’s network device are completed. For dual-stack interfaces, see SAE Support for Dual-Stack Configuration.
- The router sends an accounting start message to the RADIUS server, indicating that a subscriber session has started.
- The RADIUS server acknowledges the accounting start message.
- The router sends a COPS or BEEP request message to the SAE. The message includes the user ID and the IP address assigned to the IP interface on the subscriber’s network device. The SAE associates the subscriber’s IP address with the subscriber session so that it can associate later requests from the subscriber with this session by looking at the source IP address of the request.
- The SAE uses the subscriber ID to look up the subscriber’s data in the directory.
- The directory responds with data about the subscriber and the associated subscriptions. This data specifies which subscriptions should be automatically activated.
- The SAE sends a series of decision (DEC) messages to the router. These messages tell the router to attach default policies and policies for automatically activated subscriptions to the subscriber’s interface. They also tell the router to store subscriber and service sessions so that if the SAE fails, the subscribers can continue using their active subscriptions. If the SAE fails, the router connects to a backup SAE that synchronizes all session information and then takes over management of active subscribers on the router. During the synchronization process, active sessions are not affected.
- The router acknowledges the decision messages with a report (RPT) message.
- If interim accounting is enabled, the router periodically sends an accounting request to the RADIUS server to store an interim accounting record.
- The RADIUS server sends an acknowledge message to the router, acknowledging the receipt of the interim accounting record.
PPP Logout Interactions
Figure 4 shows the interactions that take place when a subscriber logs out of a PPP session.
Figure 4: PPP Logout
The logout sequence is as follows:
- The subscribers trigger their PPP software to close the PPP session with the router.
- The router sends a COPS or BEEP delete request (DRQ) message, informing the SAE that the subscriber’s IP interface is being shut down.
- The SAE responds with decision (DEC) messages, requesting the router to remove the default and active subscription policies and sessions for the subscriber.
- The router responds with a report (RPT) message that includes the usage data for the subscriptions that were just deactivated.
- The SAE sends an accounting stop message to the RADIUS server, indicating that a service session has stopped. The stop message includes the usage data. (For information about service sessions, see Subscriptions and Activations.)
- The RADIUS server acknowledges the accounting stop request.
- The router sends an accounting stop message to the RADIUS server, indicating that a subscriber session has stopped.
- The RADIUS server acknowledges the accounting stop request.
Related Documentation
- Login Events and Processes Overview
- Automatic Activation at Login
- DHCP Subscriber Login and Service Activation
- Example: Managing Interfaces for Premium and Basic PPP and DHCP Subscribers
