C HAPTER 13. ONT A UTHENTICATION B Y F REE RADIUS

DASAN NETWORKSGPON TRAINING

CHAPTER 13. ONT AUTHENTICATION BY FREERADIUS

www.dasannetworks.eu

1. Service Scenario

2. RADIUS Message Format

3. OLT Configuration

4. FreeRADIUS configuration

6. CoA and DM

7. Example


Table of contents


1. Service Scenario (1)

ONU Authentication from RADIUS ServerYou can use the RADIUS authentication process when an ONU (ONT) is activated and it attempts to access an OLT. The RADIUS Access-Request message is sent from the OLT to the RADIUS server. If the ONU is valid, the RADIUS server consults a database of ONUs to find the ONU which matches the authentication attributes in the connection request. If the RADIUS server has the valid ONU-related information, it sends the configuration settings placed into a RADIUS Access-Accept message to the OLT for the ONU registration. The OLT receives the service profile settings from the RADIUS server and it assigns a new service profile to ONU.

① Upload MIB Info: During the initial connection between OLT and ONU, the ONU uploads the MIB information. On the OLT side, the OLT checks the ONU validation using ONU model name, firmware version and serial number. ② Sends RADIUS message: If the RADIUS authentication is required when the OLT and ONU are connected each other, the OLT sends Access-Request message with the authentication attributes (user name, user password, OLT-ID, ONU-ID, ONT model name, serial number, firmware version) to the RADIUS server. ③ Receive Response message: If the RADIUS message is sent by a valid ONU, and if the authentication attributes contain the correct values, the Access-Accept message of ONU configuration settings is sent by the RADIUS server.④ Set the configuration: The OLT receives the service profile information from the RADIUS server. The new service profile settings are assigned to ONU. The RADIUS server sends Disconnect messages (DM) request in order to

terminate a user session on a network access server, whereas it sends Change-of-Authorization (CoA) request messages to modify session authorization attributes of ONU. The OLT checks that the key of DM message from the RADIUS server is valid. If the key value is invalid, the packets are silently discarded.

DASAN OLT support authentication by FreeRADIUS server (http://freeradius.org )

http://freeradius.org/


1. Service Scenario (2)


2. RADIUS Message Format (1)


2. RADIUS Message Format (2)


3. OLT Configuration (1)

2. GPON OLT Port Configuration: After RADIUS configuration, You need to enable ONT authentication on each GPON-OLT port:

SWITCH#configure terminalSWITCH(config)# gponSWITCH(gpon)# gpon-olt 2SWITCH(config-gpon-olt[2])# onu auth-control enable

3. ONT identification: RADIUS server significantly identify ONTs by ONT Serial Number:

OLT Configuration

1. RADIUS Server Configuration: To configure IP address and key value of RADIUS server for ONU authentication, use the following configuration:

To display the information of RADIUS server for ONU authentication, use the following command:

RADIUS server is supported from firmware versions:

- V5812G: 5.09- V5824G:1.03-0016- V8240: 5.10



4. RADIUS Username: by default OLT for ONT authentication User-Name is using ONT Serial Number, but You can change it to model-name:

5. ONT reconnecting between GPON ports: If You enable ONT authentication by server RADIUS on more then one GPON port, then You can without problems reconnect ONTs between them. ONT will be automatically authenticated and it will receive proper configuration. But as You know, one time connected ONT is learned on OLT port until we will remove it manually. So ONT will be still present on previous port configuration. The solution for this situation is ONU INACTIVE feature – which will delete ONT (with configuration) if it is inactive for defined time.

SWITCH(config)# gponSWITCH(gpon)# onu auth radius-username ? model-name Use model name of ONU serial-number Use GPON serial number of ONU (default)



6. OLT GPON Ports Numbering for RADIUS communication:

V5812G: 1, 2, 3, 4

V5824G: 1, 2, 3, 4, 5, 6, 7, 8

V8240 – standard port numbering is SLOT/PORT (on the left), but for RADIUS You should use numbering on the right:


4. FreeRADIUS configuration (1)

DASAN OLTs support only FreeRADIUS server. Below configuration was checked on system Ubuntu 12.04

1. FreeRADIUS server Installation – description is available on the network, so this will be not described here – please visit (http://freeradius.org)

2. DASAN Attributes definition

Create new file disctionary.dasan on folder etc/freeradius . Now define attributes which will be used by FreeRADIUS for ONT authentication. File should contain below definitions:VENDOR Dasan 6296

BEGIN-VENDOR Dasan

ATTRIBUTE Dasan-Gpon-Olt-Id 101 inte-ger

ATTRIBUTE Dasan-Gpon-Onu-Id 102 inte-ger

ATTRIBUTE Dasan-Gpon-Onu-Model-Name 103 string

ATTRIBUTE Dasan-Gpon-Onu-Serial-Num 104 string

ATTRIBUTE Dasan-Gpon-Onu-Profile 105 string

ATTRIBUTE Dasan-Gpon-Onu-Firmware-Version 106 string

ATTRIBUTE Dasan-Gpon-Onu-Static-Ip 107 string

ATTRIBUTE Dasan-Gpon-Onu-Voip-Sip-Number 108 string

ATTRIBUTE Dasan-Gpon-Onu-Voip-Sip-Auth 109 string

ATTRIBUTE Dasan-Gpon-Onu-Voip-Mgc-Msg-Id 110 string

ATTRIBUTE Dasan-Gpon-Onu-Voip-Mgc-Term-Id 111 string

ATTRIBUTE Dasan-Gpon-Onu-Uni-Port-Admin 112 string

ATTRIBUTE Dasan-Gpon-Onu-Description 113 string

ATTRIBUTE Dasan-Gpon-Onu-Uni-Eth-Port-Medium 114 string

ATTRIBUTE Dasan-Gpon-Onu-Uni-Eth-Auto-Detect 115 string

ATTRIBUTE Dasan-Gpon-Onu-Mac-Filter 116 string

END-VENDOR Dasan




3. Assign disctionary.dasan to the RADIUS main DICTIONARY

Edit file: etc/freeradius/dictionary and include previous created file with DASAN attributes:

$INCLUDE dictionary.dasan

4. Define OLTs as NAS (Network Access Serwer) Servers

Edit file etc/freeradius/clients.conf and define OLT on which ONTs should be authenticated by FreeRADIUS, e.g.:

client OLT-V5812G {ipaddr = 172.16.16.186 <- OLT V5812G IP Addresssecret = testing123vendor = Dasancoa_server = localhost-coa

}

client OLT-V8240 {ipaddr = 172.16.16.141 <- OLT V8240 IP Addresssecret = testing123vendor = Dasancoa_server = localhost-coa

}



5. Home-Server configuration for CoA and DM packets

For CoA (Change Of Authorization) and DM(Disconnect Message) messages You need to define Home-Server and OLTs IP. To do that – edit file etc/freeradius/sites-available/originate-coa and set as below:

home_server localhost-coa{type = coaipaddr = 172.16.16.186ipaddr = 172.16.16.141port = 3799# This secret SHOULD NOT be the same as the shared# secret in a "client" section.secret = testing123# CoA specific parameters. See raddb/proxy.conf for details.coa {irt = 2mrt = 16mrc = 5mrd = 30

}

6. Define originate-coa

On file etc/freeradius/radiusd.conf include previously edited file originate-coa

$INCLUDE sites-available/originate-coa



7. User (ONT) configuration

For user/ONT definition, modify file etc/freeradius/users. Below is an example definition/configuration for two ONTs:

# ONT H640GV-03 connected to OLT V5812G (SN: DSNW4ad601f8)

DSNW4ad601f8 Cleartext-Password := "H640GV-03" ,Dasan-Gpon-Onu-Serial-Num == "DSNW4ad601f8"

Dasan-Gpon-Onu-Profile = "H640GV-03",Dasan-Gpon-Onu-Description += "GV-03-TEST",Dasan-Gpon-Onu-Static-Ip +="1 192.168.88.5/24 192.168.88.1",Dasan-Gpon-Onu-Voip-Sip-Number +="1 1112",Dasan-Gpon-Onu-Voip-Sip-Auth +="1 1112 haslogv03-1",Dasan-Gpon-Onu-Voip-Sip-Number +="2 1114",Dasan-Gpon-Onu-Voip-Sip-Auth +="2 1114 haslogv03-2",Dasan-Gpon-Onu-Uni-Port-Admin +="eth 3-4 disable„

# ONT H640GW-02 connected to OLT V5812G (SN: DSNW4ad601f8)

DSNW4bd6a880 Cleartext-Password := "H640GW-02" ,Dasan-Gpon-Onu-Serial-Num =="DSNW4bd6a880"

Dasan-Gpon-Onu-Profile = "H640GW-02",Dasan-Gpon-Onu-Description += "GW-02-TEST",Dasan-Gpon-Onu-Static-Ip +="1 192.168.88.6/24 192.168.88.1",Dasan-Gpon-Onu-Voip-Sip-Number +="1 1113",Dasan-Gpon-Onu-Voip-Sip-Auth +="1 1113 haslogw02„

Remember about indentation – otherwise it will not work.






}





6. CoA and DM (1)

For ONT authentication RADIUS server can use two types of messages: Change Of Authorization and Disconnect Message.

Change Of Authorization (CoA) – this type of packet is used when we want to change ONT authorization(configuration). In this situation we need to send from RADIUS server to OLT, below information’s:

◦ OLT-ID – OLT GPON port to which ONT is connected,◦ ONT Serial Number,◦ All configuration which we want to send (You should use attributes which were defined on

dictionary.dasan). EXAMPLE:

ONT Previous configuration in etc/freeradius/users:




Now we will change ONT configuration:



Dasan-Gpon-Onu-Profile = "H640GV-03-NEW",Dasan-Gpon-Onu-Description += "NEW_DESCRIPTION",Dasan-Gpon-Onu-Static-Ip +="1 192.168.88.13/24 192.168.88.1",Dasan-Gpon-Onu-Voip-Sip-Number +="1 1112",Dasan-Gpon-Onu-Voip-Sip-Auth +="1 1112 haslogv03-1",Dasan-Gpon-Onu-Voip-Sip-Number +="2 1114",Dasan-Gpon-Onu-Voip-Sip-Auth +="2 1114 haslogv03-2",Dasan-Gpon-Onu-Uni-Port-Admin +="eth 3-4 enable"


6. CoA and DM (2)

Now from RADIUS server You need to send CoA message:

sudo echo "Dasan-Gpon-Olt-Id=2,Dasan-Gpon-Onu-Serial-Num=DSNW4ad601f8,Dasan-GponOnu-Profile=H640GV-03-NEW,Dasan-Gpon-Onu-Description=NEW_DESCRIPTION,Dasan-Gpon-OnuStatic-Ip='1 192.168.88.13/24 192.168.88.1',Dasan-Gpon-Onu-Uni-Port-Admin='eth 3-4 enable'" | radclient -x 172.16.16.186 coa testing123

Sending CoA-Request of id 134 to 172.16.16.186 port 3799Dasan-Gpon-Olt-Id = 2Dasan-Gpon-Onu-Serial-Num = "DSNW4ad601f8"Dasan-Gpon-Onu-Profile = "H640GV-03-NEW"Dasan-Gpon-Onu-Description = "NEW_DESCRIPTION"Dasan-Gpon-Onu-Static-Ip = "1 192.168.88.13/24 192.168.88.1"Dasan-Gpon-Onu-Uni-Port-Admin = "eth 3-4 enable"

rad_recv: CoA-ACK packet from host 172.16.16.186 port 3799, id=134, length=20

Of course always during next ONT authorization ONT will receive new configuration from RADIUS (so after e.g. ONT restart).

So if You do not want to send from RADIUS all new Configuration – than You can also send DM Packet (described on next slide):- ONT will be deleted form OLT- Again discovered on GPON-OLT port- Try to authenticate


6. CoA and DM (3)

Disconnect Message (DM) – this type of packet is used when we want to delete authentication of ONT – so remove all configuration which ONT received during last successful authorization.

◦ OLT-ID – OLT GPON port to which ONT is connected,◦ ONT Serial Number,

EXAMPLE:We will comment or delete ONT configuration on file etc/freeradius/users:


#DSNW4ad601f8 Cleartext-Password := "H640GV-03" ,Dasan-Gpon-Onu-Serial-Num == "DSNW4ad601f8"# Dasan-Gpon-Onu-Profile = "H640GV-03",# Dasan-Gpon-Onu-Description += "GV-03-TEST",# Dasan-Gpon-Onu-Static-Ip +="1 192.168.88.5/24 192.168.88.1",# Dasan-Gpon-Onu-Voip-Sip-Number +="1 1112",# Dasan-Gpon-Onu-Voip-Sip-Auth +="1 1112 haslogv03-1",# Dasan-Gpon-Onu-Voip-Sip-Number +="2 1114",# Dasan-Gpon-Onu-Voip-Sip-Auth +="2 1114 haslogv03-2",# Dasan-Gpon-Onu-Uni-Port-Admin +="eth 3-4 disable„

Now from RADIUS server send DM packet:

sudo echo "Dasan-Gpon-Olt-Id=2,Dasan-Gpon-Onu-SerialNum=DSNW4ad601f8" | radclient -x 172.16.16.186 disconnect testing123

Sending Disconnect-Request of id 238 to 172.16.16.186 port 3799Dasan-Gpon-Olt-Id = 2Dasan-Gpon-Onu-Serial-Num = "DSNW4ad601f8"

rad_recv: Disconnect-ACK packet from host 172.16.16.186 port 3799, id=238, length=20

DM PACKET = no onu ONU-SN

You can use DM packet except CoA packet – then ONT will be discovered again on OLT and try to authenticate again


7. Example (1)

On this point You will see example configuration for V5812G OLT – to use ONT FreeRADIUS authentication.

Topology is as on the picture on the right.


7. Example (2)

1. OLT IP interface configuration – we need to set IP address on OLT to communicate with RADIUS server

GPON_V5812G# configure terminal

GPON_V5812G(config)# bridge

GPON_V5812G(bridge)# vlan create 100 <- create VLAN 100

GPON_V5812G(bridge)# vlan add 100 10 untagged <- assign uplink port to VLAN 100

GPON_V5812G(bridge)# exit

GPON_V5812G(config)# interface 100 <- enable interface 100

GPON_V5812G(config-if[100])# ip address 172.16.16.186/24 <- configure IP address

GPON_V5812G(config-if[100])# no shutdown <- enable interface

GPON_V5812G(config-if[100])# exit

GPON_V5812G(config)# sh ip interface brief <- check interface

Interface Status Protocol Primary IP Secondary IP

--------------------------------------------------------------------------

lo up up unassigned unassigned

mgmt up down unassigned unassigned

br100 up up 172.16.16.186 unassigned

br200 up down unassigned unassigned

br400 up down unassigned unassigned

2. Configure authentication from RADIUS Server:

GPON_V5812G(config)# gponGPON_V5812G(gpon)# onu auth radius-server host 172.16.16.128 key testing123

<- 172.16.16.128 – RADIUS server IP address


7. Example (3)

3. Enable ONT authentication

GPON_V5812G(gpon)# gpon-olt 1

GPON_V5812G(config-gpon-olt[1])# onu auth-control enable

GPON_V5812G(config-gpon-olt[1])# gpon-olt 2






4. FreeRADIUS server Installation – description is available on the network, so this will be not described here – please visit (http://freeradius.org)

5.DASAN Attributes definition Create new file disctionary.dasan on folder etc/freeradius . Now define attributes which will be used by FreeRADIUS for ONT authentication. File should contain below definitions:

VENDOR Dasan 6296

BEGIN-VENDOR Dasan

ATTRIBUTE Dasan-Gpon-Olt-Id 101 inte-ger

ATTRIBUTE Dasan-Gpon-Onu-Id 102 inte-ger

ATTRIBUTE Dasan-Gpon-Onu-Model-Name 103 string

ATTRIBUTE Dasan-Gpon-Onu-Serial-Num 104 string

ATTRIBUTE Dasan-Gpon-Onu-Profile 105 string

ATTRIBUTE Dasan-Gpon-Onu-Firmware-Version 106 string

ATTRIBUTE Dasan-Gpon-Onu-Static-Ip 107 string

ATTRIBUTE Dasan-Gpon-Onu-Voip-Sip-Number 108 string

ATTRIBUTE Dasan-Gpon-Onu-Voip-Sip-Auth 109 string

ATTRIBUTE Dasan-Gpon-Onu-Voip-Mgc-Msg-Id 110 string

ATTRIBUTE Dasan-Gpon-Onu-Voip-Mgc-Term-Id 111 string

ATTRIBUTE Dasan-Gpon-Onu-Uni-Port-Admin 112 string

ATTRIBUTE Dasan-Gpon-Onu-Description 113 string

ATTRIBUTE Dasan-Gpon-Onu-Uni-Eth-Port-Medium 114 string

ATTRIBUTE Dasan-Gpon-Onu-Uni-Eth-Auto-Detect 115 string

ATTRIBUTE Dasan-Gpon-Onu-Mac-Filter 116 string

END-VENDOR Dasan



7. Example (4)

6. Assign disctionary.dasan to the RADIUS main DICTIONARY

Edit file: etc/freeradius/dictionary and include previous created file with DASAN attributes:

$INCLUDE dictionary.dasan

7. Define OLTs as NAS (Network Access Serwer) Servers

Edit file etc/freeradius/clients.conf and define OLT on which ONTs should be authenticated by FreeRADIUS, e.g.:

client OLT-V5812G {ipaddr = 172.16.16.186 <- OLT V5812G IP Addresssecret = testing123vendor = Dasancoa_server = localhost-coa

}

client OLT-V8240 {ipaddr = 172.16.16.141 <- OLT V8240 IP Addresssecret = testing123vendor = Dasancoa_server = localhost-coa

}


7. Example (5)




}





7. Example (6)

9. User (ONT) configuration

For user/ONT definition, modify file etc/freeradius/users. Below is an example definition/configuration for two ONTs:




# ONT H640GW-02 connected to OLT V5812G (SN: DSNW4ad601f8)

DSNW4bd6a880 Cleartext-Password := "H640GW-02" ,Dasan-Gpon-Onu-Serial-Num =="DSNW4bd6a880"

Dasan-Gpon-Onu-Profile = "H640GW-02",Dasan-Gpon-Onu-Description += "GW-02-TEST",Dasan-Gpon-Onu-Static-Ip +="1 192.168.88.6/24 192.168.88.1",Dasan-Gpon-Onu-Voip-Sip-Number +="1 1113",Dasan-Gpon-Onu-Voip-Sip-Auth +="1 1113 haslogw02„

Remember about indentation – otherwise it will not work.

THANK YOU


If You need help please contact: [email protected]

mailto:[email protected]

Documents

C HAPTER 13. ONT A UTHENTICATION B Y F REE RADIUS