BRASs manage users in either of the following modes:
Based on domains
In this mode, each user belongs to a domain, and different users can belong to the same domain. By default, if the user name used by a user to access a BRAS does not contain a domain name, the user is added to the default domain. Service attributes can be configured for a domain. Then all users in the domain have the same service attributes. This implementation allows the BRAS to manage users.
Based on user accounts
User accounts and service attributes are configured on an AAA server. The configured user accounts and service attributes are then delivered to users when they go online or dynamically delivered to users after the users go online.
In actual applications (except in non-authentication and non-accounting scenarios), all user accounts must be configured on an AAA server, and all the domains to which the user accounts belong must be configured on the BRAS. The BRAS allows local user accounts to be configured and managed.
Generally, the service attributes configured in a domain have a lower priority than the service attributes delivered by an AAA server. Therefore, when service attributes configured in a domain and those delivered by an AAA server both exist on the BRAS, the BRAS prefers the service attributes delivered by the AAA server. The service attributes configured in a domain take effect only when no AAA server is available or the configured service attributes are not delivered by the AAA server.
A domain is a collection of service management features. User management functions, such as AAA and traffic control, are implemented based on domains on a BRAS. Therefore, user groups can be differentiated by domains to have specific services.
The user name format can be username@domain or domain@username on a BRAS, where @ is a domain name delimiter. A domain name can precede or follow a user name, which can be configured. If a user name does not contain @, the user belongs to the default domain. Any user belongs to a specific domain.
In a domain, you can specify authentication, authorization, and accounting schemes and servers for user access, the authentication mode used in user authentication, the DNS server and IP address pool assignable to users, a limit on the number of access users, the address pool for allocating IPv6 addresses, NDRA prefixes, and PD prefixes, and DNS server's IPv6 address.
This section mainly describes the following attributes:
Time range control
Domain-based time range control allows a domain to be automatically blocked in the specified time range. During this time range, users in this domain are denied access, and online users are forced offline. After this time range elapses, the domain becomes activated again, and the users in this domain are allowed access again. Four time ranges can be set for a domain, and all of them take effect, independent of each other.
Mandatory PPP authentication
In normal situations, the PPP client and VT interface negotiate the PPP authentication mode, such as PAP, CHAP, or MSCHAP. If a mandatory PPP authentication mode is configured for a domain, this authentication mode is used.
IP address usage alarm
After an IP address usage alarm threshold (in percentage) is configured, if the IP address usage in a domain exceeds the alarm threshold, the BRAS reports an alarm to the NMS. If no such alarm threshold is configured, the BRAS does not generate any alarm, irrespective of the IP address usage.
IPv6 address and prefix usage alarm functions
After an IPv6 address and prefix usage alarm threshold (in percentage) is configured, if the usage of IPv6 addresses, NDRA prefixes, or PD prefixes in a domain exceeds the alarm threshold, the BRAS reports an alarm to the NMS. If no such alarm threshold is configured, the BRAS does not generate any alarm, irrespective of the usage of IPv6 addresses, NDRA prefixes, or PD prefixes.
If unauthorized users attempt to access addresses that they are not authorized to, the BRAS forcibly redirects their access requests to the mandatory web server.
After a user goes online, the user can be managed through a domain in terms of basic access services (such as the access to the Internet) or the authorities, bandwidth, and QoS of value-added services. The involved service attributes include QoS profile, user priority, captive portal, multicast group, time range, traffic statistics, accounting packet copy, and idle-cut. This section mainly describes the following attributes:
When a user accesses an external network for the first time after being authenticated, the BRAS forcibly redirects the access request to a specific server, which is usually the portal server of a carrier. This implementation allows the user to access a carrier service immediately after the user accesses the Internet.
When a user's traffic volume goes below the lower threshold in a specified period of time, the BRAS considers the user idle, and therefore cuts off the connection with the user. When idle-cut is configured, you must also specify the time period and traffic.
For Layer 2 DHCPv4 and DHCPv6 users whose IP addresses are not assigned by the BRAS (for example, they are assigned by a remote DHCP server), configuring idle-cut is not recommended. If idle-cut is configured and the users are logged out, the DHCP server will reclaim the IP addresses so that the users can no longer be triggered to go online.
If Layer 2 DHCPv4 users are logged out and need to be triggered to go online again, they must send ARP or IP packets to go online. Some STBs cannot send ARP packets to go online. By default, the device does not allow users to send ARP or IP packets to go online. In addition, IP address reservation based on leases or MAC addresses must be configured. If this function is not configured, the IP addresses used by users to go online may be allocated to other users, so that the users will fail to go online again.
If Layer 2 DHCPv6 users are logged out and need to be triggered to go online again, they must send NS/NA or IPv6 packets to go online. By default, the device does not allow users to send NS/NA or IPv6 packets to go online. In addition, IPv6 address reservation based on DUIDs or MAC addresses must be configured. If PD prefixes must be allocated, you must also configure prefix reservation. If these functions are not configured, the IPv6 addresses and prefixes used by users to go online may be allocated to other users, so that the users will fail to go online again.
Do not configure idle-cut for Layer 3 DHCPv4 and DHCPv6 users because they cannot be triggered to go online.
Idle-cut cannot be configured or leased lines or leased line users.
Idle-cut takes effect only for users who go online after idle-cut is configured.
Traffic statistics cover the total traffic in a domain and the upstream and downstream traffic of each user.
Time range-based QoS control
QoS control is performed for domain users in a specified time range. After the time range elapses, QoS control is no longer performed for domain users.