RADIUS AAA
Full RADIUS Authentication, Authorization, and Accounting — the backbone of subscriber management.
Overview
AthenaBNG implements comprehensive RADIUS support for both PPPoE and IPoE sessions. Every subscriber interaction — from initial authentication through to final disconnect — is tracked and reported via standard RADIUS protocols.
Authentication (RFC 2865)
PPPoE Sessions
PPPoE subscribers authenticate via PAP or CHAP during PPP negotiation:
| Attribute | Value |
|---|---|
| User-Name | Subscriber username |
| User-Password / CHAP-Password | Subscriber credentials |
| Calling-Station-Id | Subscriber MAC address |
| NAS-Port-Id | VLAN interface name |
| NAS-Identifier | BNG hostname |
| NAS-IP-Address | BNG management IP |
| Service-Type | Framed |
IPoE/DHCP Sessions
IPoE subscribers are authenticated by MAC address:
| Attribute | Value |
|---|---|
| User-Name | MAC address (aa:bb:cc:dd:ee:ff) |
| Calling-Station-Id | MAC address |
| NAS-Port-Id | VLAN interface name (Circuit ID) |
| NAS-Identifier | BNG hostname |
| Service-Type | Framed |
Authorization
RADIUS Access-Accept controls session parameters:
| Attribute | Purpose |
|---|---|
| Framed-IP-Address | Subscriber IP address |
| Framed-IP-Netmask | Subnet mask (usually /32) |
| Session-Timeout | Maximum session duration |
| Idle-Timeout | Idle disconnect timer |
| Athena-Rate-Down | Download rate in bps |
| Athena-Rate-Up | Upload rate in bps |
| Athena-Overhead-Profile | QoS overhead compensation profile |
Vendor-Specific Attributes (VSAs)
AthenaBNG defines vendor-specific attributes under the Athena Networks enterprise number:
VENDOR Athena 12345
ATTRIBUTE Athena-Rate-Down 1 integer
ATTRIBUTE Athena-Rate-Up 2 integer
ATTRIBUTE Athena-Overhead-Profile 3 string
Accounting (RFC 2866)
Full session accounting with real traffic counters:
Accounting Events
| Event | Acct-Status-Type | Trigger |
|---|---|---|
| Session start | Start | PPP IPCP complete / DHCP ACK |
| Periodic update | Interim-Update | Configurable interval (default 5 min) |
| Subscriber disconnect | Stop | PADT / DHCP Release |
| Lease expiry | Stop | DHCP lease timeout |
| Admin disconnect | Stop | CoA Disconnect / CLI |
| BNG shutdown | Stop | Graceful SIGTERM |
Traffic Counters
Accounting packets include real interface statistics from the Linux kernel:
| Attribute | Description |
|---|---|
| Acct-Input-Octets | Bytes received (lower 32 bits) |
| Acct-Output-Octets | Bytes sent (lower 32 bits) |
| Acct-Input-Gigawords | Bytes received (upper 32 bits, for >4 GiB) |
| Acct-Output-Gigawords | Bytes sent (upper 32 bits, for >4 GiB) |
| Acct-Input-Packets | Packets received |
| Acct-Output-Packets | Packets sent |
| Acct-Session-Time | Session duration in seconds |
Terminate Causes
| Acct-Terminate-Cause | When |
|---|---|
| User-Request | Subscriber initiated disconnect |
| Session-Timeout | Lease or session timeout |
| Admin-Reset | CLI or API disconnect |
| NAS-Reboot | BNG graceful shutdown |
Change of Authorization (RFC 5176)
Real-time policy changes without disconnecting the subscriber:
Rate Changes
Update subscriber speeds mid-session:
echo "Acct-Session-Id=abng-1234-5, Athena-Rate-Down=100000000, Athena-Rate-Up=40000000" | \
radclient -x <bng-ip>:3799 coa <secret>
The subscriber's QoS is updated in milliseconds — no packet loss, no session interruption.
Disconnect Messages
Administratively terminate a session:
echo "Acct-Session-Id=abng-1234-5" | \
radclient -x <bng-ip>:3799 disconnect <secret>
RADIUS Server Compatibility
AthenaBNG works with any RFC-compliant RADIUS server:
- FreeRADIUS — We provide example configuration files
- Radiator — Widely used in Australian ISPs
- ClearBox — Windows-based RADIUS
- Any RFC 2865/2866/5176 server
Configuration
radius:
servers:
- address: "10.0.0.10"
auth_port: 1812
acct_port: 1813
secret: "your-radius-secret"
coa_enabled: true
coa_port: 3799
acct_interim_interval: 300
nas_identifier: "AthenaBNG"