Subscriber Authentication for DSL Networks
- Requirements
- Overview
- DHCP and DSLAMS
- DHCP Option 82 and Broadband Provisioner

Subscriber Authentication for DSL Networks

This document is targeted at network engineers wishing to gain an understanding of how Broadband Provisioner can be used for Subscriber Authentication in DSL networks.

Requirements

Requires a basic knowledge of DSL technologies, including DSLAMs.

Overview

DSL networks that currently use PPPOE are often configured to authenticate subscribers using a RADIUS server. Configuring these credentials is error prone and time consuming, both on the residential gateway and in the RADIUS server.

Broadband Provisioner can perform subscriber authentication during the DHCP stage, thereby negating the need for a separate RADIUS server. This authentication can control the type of IP address the DSL modem receives, or whether the modem may receive an address at all. The configuration described here operates on a per-subscriber basis, regardless of any specific DSL modem on the customer's premises.

DHCP and DSLAMS

The DHCP protocol leases an IP address to a device for a specific amount of time. When this lease time has passed, the device must request to extend the lease. If the DHCP server cannot or will not extend the lease, the device must stop using the IP address.

The DHCP protocol defines a standard mechanism whereby a trusted intermediate device (such as a DSLAM) can insert specific information into DHCP traffic before forwarding the traffic to a central DHCP server. This mechanism is called Relay Agent Information, but is most commonly referred to simply as "option 82".

Most DSLAMs support option 82, typically by inserting the port number the modem is communicating on. The name of the DSLAM may also be included in this information.

DHCP Option 82 and Broadband Provisioner

Before the DHCP server in Broadband Provisioner can process any DHCP request, it must first locate and process any rules for this request. The rule system is a straightforward system of accounts, wherein Broadband Provisioner finds the account associated with the DHCP client (the modem), decides what DHCP resources the client has access to, and processes the DHCP request.

In a DSL environment, Broadband Provisioner may be configured to locate an account using the option 82 remote identifier (the DSLAM name + port number). By configuring Broadband Provisioner to locate the rules for a modem using the option 82 remote identifier, the server can effectively enforce DHCP access policies for a specific subscriber without requiring advanced knowledge of the actual DSL modem being serviced.

Individual DSL modems are automatically recorded, but they can be managed as a group using the subscriber account. Furthermore, replacing a subscriber's modem requires no changes to the configuration of Broadband Provisioner if the subscriber is configured to receive a dynamic IP address. (For subscribers that expect to receive a single static IP address regardless of the modem in use, an extra configuration step is required.)

Engineer
Network