ANCP Agent and AAA
ANCP Agent Interactions with AAA
The ANCP agent reports both unadjusted (net) data rates and adjusted data rates for subscriber traffic to AAA for RADIUS authentication and accounting of subscriber sessions. The adjusted data rate enables RADIUS to allocate the appropriate services (including class of service) to PPPoE sessions during authentication. The rate reports also enable RADIUS accounting to track the class of service actually provided for the PPPoE sessions, which in turn enables accurate billing for subscriber services.
The access nodes send ANCP DSL attributes in ANCP messages to the router, where they are stored in the shared database. AAA maps the ANCP DSL attributes to both the Juniper Networks DSL VSAs (used by RADIUS) and the DSL Forum VSA subattributes (also called the DSL Forum VSAs). RADIUS uses these attributes during authentication and accounting for PPPoE sessions on the subscriber access line. The attributes persist even when the ANCP session to a given node has ended, enabling RADIUS to later apply these attributes to new sessions on that subscriber access line. To remove the attributes, you must delete the interface or interface set for the access line from the ANCP agent configuration.
The RADIUS profile must be configured to include the juniper-access-line-attributes option, or AAA does not report the attributes to RADIUS. If the
ANCP DSL attributes are unavailable, AAA maps the session’s
advisory upstream and downstream data rates (as configured on the
session’s underlying interface) to the Juniper Networks VSAs,
Upstream-Calculated-Qos-Rate [26-142] and Downstream-Calculated-Qos-Rate
[26-141], respectively. AAA subsequently provides only these VSAs
to RADIUS.
For successful authentication and accounting by RADIUS, AAA has to correlate PPPoE and DHCP IP demux sessions with their access lines and their associated DSL attributes. Some access nodes provide the ACI in PADI/PADR packets for the PPPoE sessions or in the DHCP discovery packets for DHCP IP demux sessions.
When the ACI is not provided in a 1:1 VLAN model with interface sets, you must associate the underlying interface for the sessions with the identifier and the interface set. If you do not configure this association, then only the advisory traffic rates are provided to RADIUS. This configuration has no effect when the identifier is provided by the access node.
For the N:1 VLAN model with interface sets, the access node must provide the ACI. If you configure the underlying interface for this model when the access node does not provide the identifier, the subscriber sessions can be incorrectly correlated with access lines.
AAA reports values to RADIUS for the Juniper Networks VSAs 26–141 and 26–142 according to the following scheme:
When the PPPoE or DHCP IP demux subscriber session can be correlated with an access line, then the ANCP agent adjusts the downstream and upstream traffic rates reported by the access node according to the ANCP agent CoS configuration. The agent then maps the adjusted rates to Upstream-Calculated-Qos-Rate [26-142] and Downstream-Calculated-Qos-Rate [26-141].
If the session cannot be correlated with an access line, but the PPPoE or DHCP discovery packet includes the DSL Forum VSA and the Access-Loop-Encapsulation subattribute includes a value for the AAL5 data link, then the ANCP agent adjusts the Actual-Data-Rate-Downstream and Actual-Data-Rate-Upstream subattributes to account for the ATM 48/53 cell tax. The adjusted rates mapped to Upstream-Calculated-Qos-Rate [26-142] and Downstream-Calculated-Qos-Rate [26-141].
If neither of the preceding sets of conditions is satisfied, then the ANCP agent simply maps the recommended downstream and upstream data rates to Upstream-Calculated-Qos-Rate [26-142] and Downstream-Calculated-Qos-Rate [26-141]. The recommended rates are either configured statically for the VLAN or VLAN demux interfaces or are in the dynamic profile that crates the interfaces.
To map an ACI to a static VLAN demux interface, include the access-identifier identifier statement
at the [edit protocols ancp interfaces demux0.logical-unit-number] hierarchy level.
To configure advisory upstream and downstream data rates on
a static VLAN demux interface, include the upstream-rate rate or downstream-rate rate statements at the [edit interfaces demux0 unit logical-unit-number] hierarchy level.
To configure an underlying interface for the PPPoE sessions
in an interface set, include the underlying-interface interface-name statement at the [edit protocols
ancp interfaces interface-set interface-set-name] hierarchy level.
When an ACI, and therefore a subscriber access line, has been mapped to an interface or interface set, the ACI can be re-mapped to a different interface or set. When this happens, traffic shaping is adjusted accordingly for the interfaces or interface sets involved. This capability is useful for the Business Services model, where a PPPoE session that is initially classified as a residential household can be reclassified as a business subscriber during RADIUS authentication by using a Junos OS ICE AAA framework Op-Script application.
In the Business Services Model, the PPPoE session initially represents a residential household until RADIUS authentication and authorization takes place. The ANCP agent dynamically maps the household’s access line to the appropriate subscriber interface and applies CoS traffic shaping to the interface. During authentication and authorization, the Op-Script application may classify the PPPoE session as a business subscriber rather than a residential subscriber. If this occurs, the application creates multiple static VLANs and groups them into an interface set. Based on the ANCP agent configuration, the application then statically maps the subscriber’s access line to this static interface set. This interface set can include only static interfaces.
The ANCP agent reverts CoS traffic shaping from the interface previously used by the subscriber and instead applies the shaping to the interface set. This reversion means that the CoS process applies to the interface the next shaping rate in its adjustment control profile.
ANCP TLVs Mapped to Juniper Networks and Broadband Forum Vendor-Specific Attributes
Some broadband access line information is not supported by standard RADIUS attributes. The DSL Forum defined RADIUS vendor-specific attributes for DSL access lines in RFC 4679, DSL Forum Vendor-Specific RADIUS Attributes. The VSAs include information about the access lines, the subscribers using the lines, and data rates on the lines.
The DSL Forum changed its name to the Broadband Forum and defined new RADIUS VSAs for G.fast (DSL) and PON access technologies. Some of the VSAs previously used only for DSL networks are also used for PON networks. All these VSAs, regardless of access technology, are referred to as DSL Forum VSAs because they are subattributes contained in the DSL Forum VSA.
An ANCP access node can provide this information to the router in the following ways:
In ANCP messages that carry ANCP access line TLVs (Type-Length-Value attributes)
In a PPPoE PADI message during PPPoE subscriber discovery
The original ANCP DSL TLVs are defined in RFC 6320, Protocol for Access Node Control Mechanism in Broadband Networks. RFC 6320 Draft Extension, Access Extensions for the Access Node Control Protocol, adds new TLVs for the DSL G.fast and PON VSAs. The ANCP access line TLVs map to both DSL Forum VSAs (IANA vendor ID 3561) and Juniper Networks (IANA vendor ID 4874) access line VSAs.
When the router receives ANCP TLVs from the access node, it does not parse or manipulate the information. Instead it simply passes the access line and traffic information to the RADIUS server in the corresponding RADIUS VSAs mapped from the TLVs. A RADIUS authentication or accounting message can contain any combination of the DSL Forum VSAs and the Juniper Networks VSAs. You can configure the RADIUS access profile to exclude one or more individual attributes, or all DSL Forum VSAs, from being included in RADIUS messages.
The DSL Forum VSAs received by the router during PPPoE and DHCP client discovery are not updated after discovery, whereas the equivalent ANCP attributes are updated whenever there is a change to the access line.
Table 1 shows the relationship between the ANCP TLVs, Juniper Networks VSAs, and DSL Forum VSAs.
ANCP TLV Number and Name |
Juniper Networks VSA Number and Name |
DSL Forum VSA Number and Name |
|---|---|---|
0x01 Access-Loop-Circuit-ID |
26–4874–110 Acc-Loop-Cir-Id |
26–3561–1 Agent-Circuit-Id |
0x02 Access-Loop-Remote-ID |
26–4874–182 Acc-Loop-Remote-Id |
26–3561–2 Agent-Remote-Id |
0x03 Access-Aggregation-Circuit-ID-ASCII |
26–4874–112 Acc-Aggr-Cir-Id-Asc |
26–3561–3 Access-Aggregation-Circuit-ID-ASCII |
0x06 Access-Aggregation-Circuit-ID-Binary |
26–4874–111 Acc-Aggr-Cir-Id-Bin |
26–3561–6 Access-Aggregation-Circuit-ID-Binary |
0x81 Actual-Net-Data-Rate-Upstream |
|
26–3561–129 Actual-Data-Rate-Upstream |
0x82 Actual-Net-Data-Rate-Downstream |
|
26–3561–130 Actual-Data-Rate-Downstream |
0x83 Minimum-Net-Data-Rate-Upstream |
26–4874–115 Min-Data-Rate-Up |
26–3561–131 Minimum-Data-Rate-Upstream |
0x84 Minimum-Net-Data-Rate-Downstream |
26–4874–116 Min-Data-Rate-Dn |
26–3561–132 Minimum-Data-Rate-Downstream |
0x85 Attainable-Net-Data-Rate-Upstream |
26–4874–117 Att-Data-Rate-Up |
26–3561–133 Attainable-Data-Rate-Upstream |
0x86 Attainable-Net-Data-Rate-Downstream |
26–4874–118 Att-Data-Rate-Dn |
26–3561–134 Attainable-Data-Rate-Downstream |
0x87 Maximum-Net-Data-Rate-Upstream |
26–4874–119 Max-Data-Rate-Up |
26–3561–135 Maximum-Data-Rate-Upstream |
0x88 Maximum-Net-Data-Rate-Downstream |
26–4874–120 Max-Data-Rate-Dn |
26–3561–136 Maximum-Data-Rate-Downstream |
0x89 Minimum-Net-Low-Power-Data-Rate-Upstream |
26–4874–121 Min-LP-Data-Rate-Up |
26–3561–137 Minimum-Data-Rate-Upstream-Low-Power |
0x8A Minimum-Net-Low-Power-Data-Rate-Downstream |
26–4874–122 Min-LP-Data-Rate-Dn |
26–3561–138 Minimum-Data-Rate-Downstream-Low-Power |
0x8B Maximum-Interleaving-Delay-Upstream |
26–4874–123 Max-Interlv-Delay-Up |
26–3561–139 Maximum-Interleaving-Delay-Upstream |
0x8C Actual-Interleaving-Delay-Upstream |
26–4874–124 Act-Interlv-Delay-Up |
26–3561–140 Actual-Interleaving-Delay-Upstream |
0x8D Maximum-Interleaving-Delay-Downstream |
26–4874–125 Max-Interlv-Delay-Dn |
26–3561–141 Maximum-Interleaving-Delay-Downstream |
0x8E Actual-Interleaving-Delay-Downstream |
26–4874–126 Act-Interlv-Delay-Dn |
26–3561–142 Actual-Interleaving-Delay-Downstream |
0x8F DSL-Line-State |
26–4874–127 DSL-Line-State |
n/a |
0x90 Access-Loop-Encapsulation |
26–4874–183 Acc-Loop-Encap |
26–3561–144 Access-Loop-Encapsulation |
0x91 DSL-Type |
26–4874–128 DSL-Type |
26–3561–145 DSL-Type |
0x92 PON-Access-Type |
26–4874–219 PON-Access-Type |
26–3561–146 PON-Access-Type |
0x93 ONT/ONU-Average-Data-Rate-Downstream |
26–4874–220 ONT/ONU-Average-Data-Rate-Downstream |
26–3561–147 ONT/ONU-Average-Data-Rate-Downstream |
0x94 ONT/ONU-Peak-Data-Rate-Downstream |
26–4874–221 ONT/ONU-Peak-Data-Rate-Downstream |
26–3561–148 ONT/ONU-Peak-Data-Rate-Downstream |
0x95 ONT/ONU-Maximum-Data-Rate-Upstream |
26–4874–222 ONT/ONU-Maximum-Data-Rate-Upstream |
26–3561–149 ONT/ONU-Maximum-Data-Rate-Upstream |
0x96 ONT/ONU-Assured-Data-Rate-Upstream |
26–4874–223 ONT/ONU-Assured-Data-Rate-Upstream |
26–3561–150 ONT/ONU-Assured-Data-Rate-Upstream |
0x97 PON-Tree-Maximum-Data-Rate-Upstream |
26–4874–224 PON-Tree-Maximum-Data-Rate-Upstream |
26–3561–151 PON-Tree-Maximum-Data-Rate-Upstream |
0x98 PON-Tree-Maximum-Data-Rate-Downstream |
26–4874–225 PON-Tree-Maximum-Data-Rate-Downstream |
26–3561–152 PON-Tree-Maximum-Data-Rate-Downstream |
0x9B Expected Throughput |
26–4874–226 Expected-Throughput-Upstream |
26–3561–155 Expected-Throughput-Upstream |
0x9C Expected Throughput at L2 |
26–4874–227 Expected-Throughput-Downstream |
26–3561–156 Expected-Throughput-Downstream |
0x9D Attainable Expected Throughput |
26–4874–228 Attainable-Expected-Throughput-Upstream |
26–3561–157 Attainable-Expected-Throughput-Upstream |
0x9E Attainable Expected Throughput at L2 |
26–4874–229 Attainable-Expected-Throughput-Downstream |
26–3561–158 Attainable-Expected-Throughput-Downstream |
0x9F Gamma data rate upstream |
26–4874–230 Gamma-Data-Rate-Upstream |
26–3561–159 Gamma-Data-Rate-Upstream |
0xA0 Gamma data rate downstream |
26–4874–231 Gamma-Data-Rate-Downstream |
26–3561–160 Gamma-Data-Rate-Downstream |
0xA1 Attainable Gamma data rate upstream |
26–4874–232 Attainable-Gamma-Data-Rate-Upstream |
26–3561–161 Attainable-Gamma-Data-Rate-Upstream |
0xA2 Attainable Gamma data rate downstream |
26–4874–233 Attainable-Gamma-Data-Rate-Downstream |
26–3561–162 Attainable-Gamma-Data-Rate-Downstream |
Table 2 lists the ANCP TLVs and indicates with a checkmark whether the TLV is used for DSL or PON subscriber access lines.
ANCP TLV Number and Name |
Used for DSL Access |
Used for PON Access |
|---|---|---|
0x01 Access-Loop-Circuit-ID |
✓ |
✓ |
0x02 Access-Loop-Remote-ID |
✓ |
✓ |
0x03 Access-Aggregation-Circuit-ID-ASCII |
✓ |
✓ |
0x06 Access-Aggregation-Circuit-ID-Binary |
✓ |
✓ |
0x81 Actual-Net-Data-Rate-Upstream |
✓ |
– |
0x82 Actual-Net-Data-Rate-Downstream |
✓ |
– |
0x83 Minimum-Net-Data-Rate-Upstream |
✓ |
– |
0x84 Minimum-Net-Data-Rate-Downstream |
✓ |
– |
0x85 Attainable-Net-Data-Rate-Upstream |
✓ |
– |
0x86 Attainable-Net-Data-Rate-Downstream |
✓ |
– |
0x87 Maximum-Net-Data-Rate-Upstream |
✓ |
– |
0x88 Maximum-Net-Data-Rate-Downstream |
✓ |
– |
0x89 Minimum-Net-Low-Power-Data-Rate-Upstream |
✓ |
– |
0x8A Minimum-Net-Low-Power-Data-Rate-Downstream |
✓ |
– |
0x8B Maximum-Interleaving-Delay-Upstream |
✓ |
– |
0x8C Actual-Interleaving-Delay-Upstream |
✓ |
– |
0x8D Maximum-Interleaving-Delay-Downstream |
✓ |
– |
0x8E Actual-Interleaving-Delay-Downstream |
✓ |
– |
0x8F DSL-Line-State |
✓ |
– |
0x90 Access-Loop-Encapsulation |
✓ |
– |
0x91 DSL-Type |
✓ |
– |
0x92 PON-Access-Type |
– |
|
0x93 ONT/ONU-Average-Data-Rate-Downstream |
– |
✓ |
0x94 ONT/ONU-Peak-Data-Rate-Downstream |
– |
✓ |
0x95 ONT/ONU-Maximum-Data-Rate-Upstream |
– |
✓ |
0x96 ONT/ONU-Assured-Data-Rate-Upstream |
– |
✓ |
0x97 PON-Tree-Maximum-Data-Rate-Upstream |
– |
✓ |
0x98 PON-Tree-Maximum-Data-Rate-Downstream |
– |
✓ |
0x9B Expected Throughput |
✓ |
– |
0x9C Expected Throughput at L2 |
✓ |
– |
0x9D Attainable Expected Throughput |
✓ |
– |
0x9E Attainable Expected Throughput at L2 |
✓ |
– |
0x9F Gamma data rate upstream |
✓ |
– |
0xA0 Gamma data rate downstream |
✓ |
– |
0xA1 Attainable Gamma data rate upstream |
✓ |
– |
0xA2 Attainable Gamma data rate downstream |
✓ |
– |
Configuring AAA to Include Juniper Networks Access Line VSAs in RADIUS Messages
You can include the juniper-access-line-attributes statement to configure AAA to add the set of Juniper Networks access
line VSAs to the RADIUS authentication and accounting request messages
for subscribers. By default, these VSAs are not added to any RADIUS
message. See ANCP TLVs Mapped to Juniper Networks and Broadband
Forum Vendor-Specific Attributes for a table of the Juniper
Networks DSL VSAs.
After you have configured the inclusion of the Juniper Networks
access line VSAs, you can subsequently exclude one or more of the
VSAs from being transmitted. To do so, include the exclude statement at the [edit access profile profile-name radius attributes] hierarchy level, and specify which VSAs
to exclude.
In contrast to the Juniper Networks access line VSAs (vendor
ID 4874), the DSL Forum VSA (vendor ID 3561) is added to all RADIUS
messages by default. The DSL Forum VSA conveys individual DSL Forum
attributes. See DSL Forum Vendor-Specific Attributes for a table of these
VSAs. You can use the exclude statement at the [edit
access profile profile-name radius attributes] hierarchy level to prevent this VSA from being included in any RADIUS
message.
To add the Juniper Networks access line VSAs to RADIUS messages:
Configure the inclusion trigger.
[edit access profile profile-name radius options] user@host# set juniper-access-line-attributes
To exclude specific Juniper Networks DSL VSAs from RADIUS messages:
Configure the exclusion trigger.
[edit access profile profile-name radius attributes] user@host# set exclude vsa-option
For example, to exclude the interleaving delay VSAs, configure the following statements:
[edit access profile profile-name radius attributes] user@host# set exclude max-interlv-delay-dn user@host# set excludemax-interlv-delay-up
To exclude the DSL Forum (RFC 4679) VSA from RADIUS messages:
Configure the exclusion trigger.
[edit access profile profile-name radius attributes] user@host# set exclude dsl-forum-attributes
Configuring Immediate Interim Accounting Updates to RADIUS in Response to ANCP Notifications
When an ANCP neighbor reports a change in the upstream traffic rate or downstream traffic rate of an access line, the ANCP agent immediately passes the information to AAA. By default, AAA does not pass this information on to the RADIUS server until the next accounting update. However, you can configure AAA to report the rate change immediately.
When you include the ancp-speed-change-immediate-update statement in the subscriber session access profile, receipt of the
notification from the ANCP agent triggers AAA to send an interim update
Accounting-Request message to the RADIUS server for the PPPoE and
DHCP IP demux subscribers associated with that access line. The interim
update request includes the new access line parameters and the adjusted
upstream and downstream traffic rates.
To configure AAA to immediately send rate change information from the ANCP agent to the RADIUS server with interim accounting updates:
Specify the immediate update.
[edit access profile profile-name accounting] user@host# set ancp-speed-change-immediate-update