Presentation is loading. Please wait.

Presentation is loading. Please wait.

DASAN NETWORKS GPON Training

Published byJoleen Woods Modified over 9 years ago

Similar presentations

Presentation on theme: "DASAN NETWORKS GPON Training"— Presentation transcript:

1 DASAN NETWORKS GPON Training
Chapter 13. ONT Authentication By FreeRADIUS

2 www.dasannetworks.eu Table of contents
1. Service Scenario 2. RADIUS Message Format 3. OLT Configuration 4. FreeRADIUS configuration 6. CoA and DM 7. Example

3 www.dasannetworks.eu 1. Service Scenario (1)
ONU Authentication from RADIUS Server You can use the RADIUS authentication process when an ONU (ONT) is activated and it attempts to access an OLT. The RADIUS Access-Request message is sent from the OLT to the RADIUS server. If the ONU is valid, the RADIUS server consults a database of ONUs to find the ONU which matches the authentication attributes in the connection request. If the RADIUS server has the valid ONU-related information, it sends the configuration settings placed into a RADIUS Access-Accept message to the OLT for the ONU registration. The OLT receives the service profile settings from the RADIUS server and it assigns a new service profile to ONU. â‘  Upload MIB Info: During the initial connection between OLT and ONU, the ONU uploads the MIB information. On the OLT side, the OLT checks the ONU validation using ONU model name, firmware version and serial number. â‘¡ Sends RADIUS message: If the RADIUS authentication is required when the OLT and ONU are connected each other, the OLT sends Access-Request message with the authentication attributes (user name, user password, OLT-ID, ONU-ID, ONT model name, serial number, firmware version) to the RADIUS server. â‘¢ Receive Response message: If the RADIUS message is sent by a valid ONU, and if the authentication attributes contain the correct values, the Access-Accept message of ONU configuration settings is sent by the RADIUS server. â‘£ Set the configuration: The OLT receives the service profile information from the RADIUS server. The new service profile settings are assigned to ONU. The RADIUS server sends Disconnect messages (DM) request in order to terminate a user session on a network access server, whereas it sends Change-of-Authorization (CoA) request messages to modify session authorization attributes of ONU. The OLT checks that the key of DM message from the RADIUS server is valid. If the key value is invalid, the packets are silently discarded. DASAN OLT support authentication by FreeRADIUS server ( )

4 1. Service Scenario (2)

5 2. RADIUS Message Format (1)

6 2. RADIUS Message Format (2)

7 www.dasannetworks.eu 3. OLT Configuration (1) OLT Configuration
RADIUS Server Configuration: To configure IP address and key value of RADIUS server for ONU authentication, use the following configuration: To display the information of RADIUS server for ONU authentication, use the following command: RADIUS server is supported from firmware versions: V5812G: 5.09 V5824G: V8240: 5.10 GPON OLT Port Configuration: After RADIUS configuration, You need to enable ONT authentication on each GPON-OLT port: SWITCH#configure terminal SWITCH(config)# gpon SWITCH(gpon)# gpon-olt 2 SWITCH(config-gpon-olt[2])# onu auth-control enable ONT identification: RADIUS server significantly identify ONTs by ONT Serial Number:

8 www.dasannetworks.eu 3. OLT Configuration (2)
RADIUS Username: by default OLT for ONT authentication User-Name is using ONT Serial Number, but You can change it to model-name: SWITCH(config)# gpon SWITCH(gpon)# onu auth radius-username ? model-name Use model name of ONU serial-number Use GPON serial number of ONU (default) ONT reconnecting between GPON ports: If You enable ONT authentication by server RADIUS on more then one GPON port, then You can without problems reconnect ONTs between them. ONT will be automatically authenticated and it will receive proper configuration. But as You know, one time connected ONT is learned on OLT port until we will remove it manually. So ONT will be still present on previous port configuration. The solution for this situation is ONU INACTIVE feature – which will delete ONT (with configuration) if it is inactive for defined time.

9 www.dasannetworks.eu 3. OLT Configuration (3)
OLT GPON Ports Numbering for RADIUS communication: V5812G: 1, 2, 3, 4 V5824G: 1, 2, 3, 4, 5, 6, 7, 8 V8240 – standard port numbering is SLOT/PORT (on the left), but for RADIUS You should use numbering on the right:

10 4. FreeRADIUS configuration (1)
DASAN OLTs support only FreeRADIUS server. Below configuration was checked on system Ubuntu 12.04 FreeRADIUS server Installation – description is available on the network, so this will be not described here – please visit ( DASAN Attributes definition Create new file disctionary.dasan on folder etc/freeradius . Now define attributes which will be used by FreeRADIUS for ONT authentication. File should contain below definitions: VENDOR Dasan 6296 BEGIN-VENDOR Dasan ATTRIBUTE Dasan-Gpon-Olt-Id integer ATTRIBUTE Dasan-Gpon-Onu-Id integer ATTRIBUTE Dasan-Gpon-Onu-Model-Name string ATTRIBUTE Dasan-Gpon-Onu-Serial-Num string ATTRIBUTE Dasan-Gpon-Onu-Profile string ATTRIBUTE Dasan-Gpon-Onu-Firmware-Version string ATTRIBUTE Dasan-Gpon-Onu-Static-Ip string ATTRIBUTE Dasan-Gpon-Onu-Voip-Sip-Number string ATTRIBUTE Dasan-Gpon-Onu-Voip-Sip-Auth string ATTRIBUTE Dasan-Gpon-Onu-Voip-Mgc-Msg-Id string ATTRIBUTE Dasan-Gpon-Onu-Voip-Mgc-Term-Id string ATTRIBUTE Dasan-Gpon-Onu-Uni-Port-Admin string ATTRIBUTE Dasan-Gpon-Onu-Description string ATTRIBUTE Dasan-Gpon-Onu-Uni-Eth-Port-Medium string ATTRIBUTE Dasan-Gpon-Onu-Uni-Eth-Auto-Detect string ATTRIBUTE Dasan-Gpon-Onu-Mac-Filter string END-VENDOR Dasan

11 4. FreeRADIUS configuration (2)
Assign disctionary.dasan to the RADIUS main DICTIONARY Edit file: etc/freeradius/dictionary and include previous created file with DASAN attributes: $INCLUDE dictionary.dasan Define OLTs as NAS (Network Access Serwer) Servers Edit file etc/freeradius/clients.conf and define OLT on which ONTs should be authenticated by FreeRADIUS, e.g.: client OLT-V5812G { ipaddr = <- OLT V5812G IP Address secret = testing123 vendor = Dasan coa_server = localhost-coa } client OLT-V8240 { ipaddr = <- OLT V8240 IP Address

12 4. FreeRADIUS configuration (3)
Home-Server configuration for CoA and DM packets For CoA (Change Of Authorization) and DM(Disconnect Message) messages You need to define Home-Server and OLTs IP. To do that – edit file etc/freeradius/sites-available/originate-coa and set as below: home_server localhost-coa{ type = coa ipaddr = ipaddr = port = 3799 # This secret SHOULD NOT be the same as the shared # secret in a "client" section. secret = testing123 # CoA specific parameters. See raddb/proxy.conf for details. coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } Define originate-coa On file etc/freeradius/radiusd.conf include previously edited file originate-coa $INCLUDE sites-available/originate-coa

13 4. FreeRADIUS configuration (4)
User (ONT) configuration For user/ONT definition, modify file etc/freeradius/users. Below is an example definition/configuration for two ONTs: # ONT H640GV-03 connected to OLT V5812G (SN: DSNW4ad601f8) DSNW4ad601f8 Cleartext-Password := "H640GV-03" ,Dasan-Gpon-Onu-Serial-Num == "DSNW4ad601f8" Dasan-Gpon-Onu-Profile = "H640GV-03", Dasan-Gpon-Onu-Description += "GV-03-TEST", Dasan-Gpon-Onu-Static-Ip +=" / ", Dasan-Gpon-Onu-Voip-Sip-Number +="1 1112", Dasan-Gpon-Onu-Voip-Sip-Auth +=" haslogv03-1", Dasan-Gpon-Onu-Voip-Sip-Number +="2 1114", Dasan-Gpon-Onu-Voip-Sip-Auth +=" haslogv03-2", Dasan-Gpon-Onu-Uni-Port-Admin +="eth 3-4 disable„ # ONT H640GW-02 connected to OLT V5812G (SN: DSNW4ad601f8) DSNW4bd6a880 Cleartext-Password := "H640GW-02" ,Dasan-Gpon-Onu-Serial-Num =="DSNW4bd6a880" Dasan-Gpon-Onu-Profile = "H640GW-02", Dasan-Gpon-Onu-Description += "GW-02-TEST", Dasan-Gpon-Onu-Static-Ip +=" / ", Dasan-Gpon-Onu-Voip-Sip-Number +="1 1113", Dasan-Gpon-Onu-Voip-Sip-Auth +=" haslogw02„ Remember about indentation – otherwise it will not work.

14 4. FreeRADIUS configuration (5)
Home-Server configuration for CoA and DM packets For CoA (Change Of Authorization) and DM(Disconnect Message) messages You need to define Home-Server and OLTs IP. To do that – edit file etc/freeradius/sites-available/originate-coa and set as below: home_server localhost-coa{ type = coa ipaddr = ipaddr = port = 3799 # This secret SHOULD NOT be the same as the shared # secret in a "client" section. secret = testing123 # CoA specific parameters. See raddb/proxy.conf for details. coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } Define originate-coa On file etc/freeradius/radiusd.conf include previously edited file originate-coa $INCLUDE sites-available/originate-coa

15 www.dasannetworks.eu 6. CoA and DM (1)
For ONT authentication RADIUS server can use two types of messages: Change Of Authorization and Disconnect Message. Change Of Authorization (CoA) – this type of packet is used when we want to change ONT authorization(configuration). In this situation we need to send from RADIUS server to OLT, below information’s: OLT-ID – OLT GPON port to which ONT is connected, ONT Serial Number, All configuration which we want to send (You should use attributes which were defined on dictionary.dasan). EXAMPLE: ONT Previous configuration in etc/freeradius/users: # ONT H640GV-03 connected to OLT V5812G (SN: DSNW4ad601f8) DSNW4ad601f8 Cleartext-Password := "H640GV-03" ,Dasan-Gpon-Onu-Serial-Num == "DSNW4ad601f8" Dasan-Gpon-Onu-Profile = "H640GV-03", Dasan-Gpon-Onu-Description += "GV-03-TEST", Dasan-Gpon-Onu-Static-Ip +=" / ", Dasan-Gpon-Onu-Voip-Sip-Number +="1 1112", Dasan-Gpon-Onu-Voip-Sip-Auth +=" haslogv03-1", Dasan-Gpon-Onu-Voip-Sip-Number +="2 1114", Dasan-Gpon-Onu-Voip-Sip-Auth +=" haslogv03-2", Dasan-Gpon-Onu-Uni-Port-Admin +="eth 3-4 disable„ Now we will change ONT configuration: Dasan-Gpon-Onu-Profile = "H640GV-03-NEW", Dasan-Gpon-Onu-Description += "NEW_DESCRIPTION", Dasan-Gpon-Onu-Static-Ip +=" / ", Dasan-Gpon-Onu-Uni-Port-Admin +="eth 3-4 enable"

16 www.dasannetworks.eu 6. CoA and DM (2)
Now from RADIUS server You need to send CoA message: sudo echo "Dasan-Gpon-Olt-Id=2,Dasan-Gpon-Onu-Serial-Num=DSNW4ad601f8,Dasan-GponOnu-Profile=H640GV-03-NEW,Dasan-Gpon-Onu-Description=NEW_DESCRIPTION,Dasan-Gpon-OnuStatic-Ip=' / ',Dasan-Gpon-Onu-Uni-Port-Admin='eth 3-4 enable'" | radclient -x coa testing123 Sending CoA-Request of id 134 to port 3799 Dasan-Gpon-Olt-Id = 2 Dasan-Gpon-Onu-Serial-Num = "DSNW4ad601f8" Dasan-Gpon-Onu-Profile = "H640GV-03-NEW" Dasan-Gpon-Onu-Description = "NEW_DESCRIPTION" Dasan-Gpon-Onu-Static-Ip = " / " Dasan-Gpon-Onu-Uni-Port-Admin = "eth 3-4 enable" rad_recv: CoA-ACK packet from host port 3799, id=134, length=20 Of course always during next ONT authorization ONT will receive new configuration from RADIUS (so after e.g. ONT restart). So if You do not want to send from RADIUS all new Configuration – than You can also send DM Packet (described on next slide): ONT will be deleted form OLT Again discovered on GPON-OLT port Try to authenticate

17 www.dasannetworks.eu 6. CoA and DM (3)
Disconnect Message (DM) – this type of packet is used when we want to delete authentication of ONT – so remove all configuration which ONT received during last successful authorization. OLT-ID – OLT GPON port to which ONT is connected, ONT Serial Number, EXAMPLE: We will comment or delete ONT configuration on file etc/freeradius/users: # ONT H640GV-03 connected to OLT V5812G (SN: DSNW4ad601f8) #DSNW4ad601f8 Cleartext-Password := "H640GV-03" ,Dasan-Gpon-Onu-Serial-Num == "DSNW4ad601f8" # Dasan-Gpon-Onu-Profile = "H640GV-03", # Dasan-Gpon-Onu-Description += "GV-03-TEST", # Dasan-Gpon-Onu-Static-Ip +=" / ", # Dasan-Gpon-Onu-Voip-Sip-Number +="1 1112", # Dasan-Gpon-Onu-Voip-Sip-Auth +=" haslogv03-1", # Dasan-Gpon-Onu-Voip-Sip-Number +="2 1114", # Dasan-Gpon-Onu-Voip-Sip-Auth +=" haslogv03-2", # Dasan-Gpon-Onu-Uni-Port-Admin +="eth 3-4 disable„ Now from RADIUS server send DM packet: sudo echo "Dasan-Gpon-Olt-Id=2,Dasan-Gpon-Onu-SerialNum=DSNW4ad601f8" | radclient -x disconnect testing123 Sending Disconnect-Request of id 238 to port 3799 Dasan-Gpon-Olt-Id = 2 Dasan-Gpon-Onu-Serial-Num = "DSNW4ad601f8" rad_recv: Disconnect-ACK packet from host port 3799, id=238, length=20 DM PACKET = no onu ONU-SN You can use DM packet except CoA packet – then ONT will be discovered again on OLT and try to authenticate again

18 www.dasannetworks.eu 7. Example (1)
On this point You will see example configuration for V5812G OLT – to use ONT FreeRADIUS authentication. Topology is as on the picture on the right.

19 www.dasannetworks.eu 7. Example (2)
OLT IP interface configuration – we need to set IP address on OLT to communicate with RADIUS server GPON_V5812G# configure terminal GPON_V5812G(config)# bridge GPON_V5812G(bridge)# vlan create 100 <- create VLAN 100 GPON_V5812G(bridge)# vlan add untagged <- assign uplink port to VLAN 100 GPON_V5812G(bridge)# exit GPON_V5812G(config)# interface 100 <- enable interface 100 GPON_V5812G(config-if[100])# ip address /24 <- configure IP address GPON_V5812G(config-if[100])# no shutdown <- enable interface GPON_V5812G(config-if[100])# exit GPON_V5812G(config)# sh ip interface brief <- check interface Interface Status Protocol Primary IP Secondary IP lo up up unassigned unassigned mgmt up down unassigned unassigned br up up unassigned br up down unassigned unassigned br up down unassigned unassigned Configure authentication from RADIUS Server: GPON_V5812G(config)# gpon GPON_V5812G(gpon)# onu auth radius-server host key testing123 < – RADIUS server IP address

20 www.dasannetworks.eu 7. Example (3)
Enable ONT authentication GPON_V5812G(gpon)# gpon-olt 1 GPON_V5812G(config-gpon-olt[1])# onu auth-control enable GPON_V5812G(config-gpon-olt[1])# gpon-olt 2 GPON_V5812G(config-gpon-olt[2])# onu auth-control enable GPON_V5812G(config-gpon-olt[2])# gpon-olt 3 GPON_V5812G(config-gpon-olt[3])# onu auth-control enable GPON_V5812G(config-gpon-olt[3])# gpon-olt 4 GPON_V5812G(config-gpon-olt[4])# onu auth-control enable VENDOR Dasan 6296 BEGIN-VENDOR Dasan ATTRIBUTE Dasan-Gpon-Olt-Id integer ATTRIBUTE Dasan-Gpon-Onu-Id integer ATTRIBUTE Dasan-Gpon-Onu-Model-Name string ATTRIBUTE Dasan-Gpon-Onu-Serial-Num string ATTRIBUTE Dasan-Gpon-Onu-Profile string ATTRIBUTE Dasan-Gpon-Onu-Firmware-Version string ATTRIBUTE Dasan-Gpon-Onu-Static-Ip string ATTRIBUTE Dasan-Gpon-Onu-Voip-Sip-Number string ATTRIBUTE Dasan-Gpon-Onu-Voip-Sip-Auth string ATTRIBUTE Dasan-Gpon-Onu-Voip-Mgc-Msg-Id string ATTRIBUTE Dasan-Gpon-Onu-Voip-Mgc-Term-Id string ATTRIBUTE Dasan-Gpon-Onu-Uni-Port-Admin string ATTRIBUTE Dasan-Gpon-Onu-Description string ATTRIBUTE Dasan-Gpon-Onu-Uni-Eth-Port-Medium string ATTRIBUTE Dasan-Gpon-Onu-Uni-Eth-Auto-Detect string ATTRIBUTE Dasan-Gpon-Onu-Mac-Filter string END-VENDOR Dasan FreeRADIUS server Installation – description is available on the network, so this will be not described here – please visit ( DASAN Attributes definition Create new file disctionary.dasan on folder etc/freeradius . Now define attributes which will be used by FreeRADIUS for ONT authentication. File should contain below definitions:

21 www.dasannetworks.eu 7. Example (4)
Assign disctionary.dasan to the RADIUS main DICTIONARY Edit file: etc/freeradius/dictionary and include previous created file with DASAN attributes: $INCLUDE dictionary.dasan Define OLTs as NAS (Network Access Serwer) Servers Edit file etc/freeradius/clients.conf and define OLT on which ONTs should be authenticated by FreeRADIUS, e.g.: client OLT-V5812G { ipaddr = <- OLT V5812G IP Address secret = testing123 vendor = Dasan coa_server = localhost-coa } client OLT-V8240 { ipaddr = <- OLT V8240 IP Address

22 www.dasannetworks.eu 7. Example (5)
Home-Server configuration for CoA and DM packets For CoA (Change Of Authorization) and DM(Disconnect Message) messages You need to define Home-Server and OLTs IP. To do that – edit file etc/freeradius/sites-available/originate-coa and set as below: home_server localhost-coa{ type = coa ipaddr = ipaddr = port = 3799 # This secret SHOULD NOT be the same as the shared # secret in a "client" section. secret = testing123 # CoA specific parameters. See raddb/proxy.conf for details. coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } Define originate-coa On file etc/freeradius/radiusd.conf include previously edited file originate-coa $INCLUDE sites-available/originate-coa

23 www.dasannetworks.eu 7. Example (6) User (ONT) configuration
For user/ONT definition, modify file etc/freeradius/users. Below is an example definition/configuration for two ONTs: # ONT H640GV-03 connected to OLT V5812G (SN: DSNW4ad601f8) DSNW4ad601f8 Cleartext-Password := "H640GV-03" ,Dasan-Gpon-Onu-Serial-Num == "DSNW4ad601f8" Dasan-Gpon-Onu-Profile = "H640GV-03", Dasan-Gpon-Onu-Description += "GV-03-TEST", Dasan-Gpon-Onu-Static-Ip +=" / ", Dasan-Gpon-Onu-Voip-Sip-Number +="1 1112", Dasan-Gpon-Onu-Voip-Sip-Auth +=" haslogv03-1", Dasan-Gpon-Onu-Voip-Sip-Number +="2 1114", Dasan-Gpon-Onu-Voip-Sip-Auth +=" haslogv03-2", Dasan-Gpon-Onu-Uni-Port-Admin +="eth 3-4 disable„ # ONT H640GW-02 connected to OLT V5812G (SN: DSNW4ad601f8) DSNW4bd6a880 Cleartext-Password := "H640GW-02" ,Dasan-Gpon-Onu-Serial-Num =="DSNW4bd6a880" Dasan-Gpon-Onu-Profile = "H640GW-02", Dasan-Gpon-Onu-Description += "GW-02-TEST", Dasan-Gpon-Onu-Static-Ip +=" / ", Dasan-Gpon-Onu-Voip-Sip-Number +="1 1113", Dasan-Gpon-Onu-Voip-Sip-Auth +=" haslogw02„ Remember about indentation – otherwise it will not work.

24 Thank You If You need help please contact: support@dasannetworks.eu

Download ppt "DASAN NETWORKS GPON Training"

Similar presentations

Virtual Trunk Protocol

Virtual Trunk Protocol
 WAN uses Serial ports  Ethernet Ports:  Straight through  Cross over.

 WAN uses Serial ports  Ethernet Ports:  Straight through  Cross over.
Virtual LANs.

Virtual LANs.
Filtering and Security By Mohammad Shanehsaz June 2004.

Filtering and Security By Mohammad Shanehsaz June 2004.
Protocol Configuration in Horner OCS

Protocol Configuration in Horner OCS
Cisco 3 - Switch Perrine. J Page 15/8/2015 Chapter 8 What happens to the member ports of a VLAN when the VLAN is deleted? 1.They become inactive. 2.They.

Cisco 3 - Switch Perrine. J Page 15/8/2015 Chapter 8 What happens to the member ports of a VLAN when the VLAN is deleted? 1.They become inactive. 2.They.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
KX-NS1000 Initial Set Up For step by step : 16 May, 2012 1.

KX-NS1000 Initial Set Up For step by step : 16 May,
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 4 Installing and Configuring the Dynamic Host Configuration Protocol.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 4 Installing and Configuring the Dynamic Host Configuration Protocol.
DASAN NETWORKS GPON Training

DASAN NETWORKS GPON Training
1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.

1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.
Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.

Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.
DASAN NETWORKS GPON Training

DASAN NETWORKS GPON Training
DASAN NETWORKS GPON Training

DASAN NETWORKS GPON Training
DASAN NETWORKS GPON Training

DASAN NETWORKS GPON Training
DASAN NETWORKS GPON Training

DASAN NETWORKS GPON Training
Remote User Authentication. Module Objectives By the end of this module participants will be able to: Describe the methods available for authenticating.

Remote User Authentication. Module Objectives By the end of this module participants will be able to: Describe the methods available for authenticating.
DASAN NETWORKS GPON Training

DASAN NETWORKS GPON Training
DASAN NETWORKS GPON Training

DASAN NETWORKS GPON Training
Radius Dave Grizzanti Steve Curti. What is RADIUS? Remote Authentication Dial-In User Service (RADIUS) is a protocol for remote user authentication and.

Radius Dave Grizzanti Steve Curti. What is RADIUS? Remote Authentication Dial-In User Service (RADIUS) is a protocol for remote user authentication and.

Similar presentations

Ads by Google