BRAS User Management

Domain-based User Management

A domain is a collection of service management features. User management functions, such as AAA and traffic control, are implemented based on domains on a BRAS. Therefore, user groups can be differentiated by domains to have specific services.

The user name format can be username@domain or domain@username on a BRAS, where @ is a domain name delimiter. A domain name can precede or follow a user name, which can be configured. If a user name does not contain @, the user belongs to the default domain. Any user belongs to a specific domain.

Domain-based Access Management

In a domain, you can specify authentication, authorization, and accounting schemes and servers for user access, the authentication mode used in user authentication, the DNS server and IP address pool assignable to users, a limit on the number of access users, the address pool for allocating IPv6 addresses, NDRA prefixes, and PD prefixes, and DNS server's IPv6 address.

This section mainly describes the following attributes:

• Time range control

  Domain-based time range control allows a domain to be automatically blocked in the specified time range. During this time range, users in this domain are denied access, and online users are forced offline. After this time range elapses, the domain becomes activated again, and the users in this domain are allowed access again. Four time ranges can be set for a domain, and all of them take effect, independent of each other.

• Mandatory PPP authentication

  In normal situations, the PPP client and VT interface negotiate the PPP authentication mode, such as PAP, CHAP, or MSCHAP. If a mandatory PPP authentication mode is configured for a domain, this authentication mode is used.

• IP address usage alarm

  After an IP address usage alarm threshold (in percentage) is configured, if the IP address usage in a domain exceeds the alarm threshold, the BRAS reports an alarm to the NMS. If no such alarm threshold is configured, the BRAS does not generate any alarm, irrespective of the IP address usage.

• IPv6 address and prefix usage alarm functions

  After an IPv6 address and prefix usage alarm threshold (in percentage) is configured, if the usage of IPv6 addresses, NDRA prefixes, or PD prefixes in a domain exceeds the alarm threshold, the BRAS reports an alarm to the NMS. If no such alarm threshold is configured, the BRAS does not generate any alarm, irrespective of the usage of IPv6 addresses, NDRA prefixes, or PD prefixes.

• Mandatory Portal

  If unauthorized users attempt to access addresses that they are not authorized to, the BRAS forcibly redirects their access requests to the mandatory web server.

Domain-based Service Management

After a user goes online, the user can be managed through a domain in terms of basic access services (such as the access to the Internet) or the authorities, bandwidth, and QoS of value-added services. The involved service attributes include QoS profile, user priority, captive portal, multicast group, time range, traffic statistics, accounting packet copy, and idle-cut. This section mainly describes the following attributes:

• Captive portal

  When a user accesses an external network for the first time after being authenticated, the BRAS forcibly redirects the access request to a specific server, which is usually the portal server of a carrier. This implementation allows the user to access a carrier service immediately after the user accesses the Internet.

• Idle-cut

  When a user's traffic volume goes below the lower threshold in a specified period of time, the BRAS considers the user idle, and therefore cuts off the connection with the user. When idle-cut is configured, you must also specify the time period and traffic.

  

  • For Layer 2 DHCPv4 and DHCPv6 users whose IP addresses are not assigned by the BRAS (for example, they are assigned by a remote DHCP server), configuring idle-cut is not recommended. If idle-cut is configured and the users are logged out, the DHCP server will reclaim the IP addresses so that the users can no longer be triggered to go online.

  • For Layer 2 DHCPv4 and DHCPv6 users whose IP addresses are assigned by the BRAS, idle-cut can be configured.

    • If Layer 2 DHCPv4 users are logged out and need to be triggered to go online again, they must send ARP or IP packets to go online. Some STBs cannot send ARP packets to go online. By default, the device does not allow users to send ARP or IP packets to go online. In addition, IP address reservation based on leases or MAC addresses must be configured. If this function is not configured, the IP addresses used by users to go online may be allocated to other users, so that the users will fail to go online again.

    • If Layer 2 DHCPv6 users are logged out and need to be triggered to go online again, they must send NS/NA or IPv6 packets to go online. By default, the device does not allow users to send NS/NA or IPv6 packets to go online. In addition, IPv6 address reservation based on DUIDs or MAC addresses must be configured. If PD prefixes must be allocated, you must also configure prefix reservation. If these functions are not configured, the IPv6 addresses and prefixes used by users to go online may be allocated to other users, so that the users will fail to go online again.

  • Do not configure idle-cut for Layer 3 DHCPv4 and DHCPv6 users because they cannot be triggered to go online.

  • Idle-cut cannot be configured or leased lines or leased line users.

  • Idle-cut takes effect only for users who go online after idle-cut is configured.

• Traffic statistics

  Traffic statistics cover the total traffic in a domain and the upstream and downstream traffic of each user.

• Time range-based QoS control

  QoS control is performed for domain users in a specified time range. After the time range elapses, QoS control is no longer performed for domain users.