Miquel van Smoorenburg mikevs at xs4all.net
Wed Jan 26 03:16:01 CST 2011

In article <[email protected]> you write:
>Allows full authentication of customers (requires username/password)

You probably want to authenticate on circuit id, not username/password.
ATM port/vpi/vci for ATM connections, or PPPoE circuit id tag added
by the DSLAM or FTTH access switch when using an ethernet transport layer.
It's just a different radius attribute to authenticate on, no magic.
We do that so a customer doesn't have to configure his/her router
to get online.

>Easily assign static IP to customer (no MAC address or CPE information

Don't need that with DHCP either, if you run a DHCP server that can
assign IP addresses based on option82. I run a patched ISC dhcp3 server,
but I understand that ISC dhcp4 makes this pretty easy

>Assign public subnet to customer with ease (no manual routing required)

Don't need manual routing with DHCP either, if you use a real
bras such as a juniper, since you can have it authenticate off
radius first before doing DHCP, and in the radius reply you can
return a static route.

>Usage tracking (GB transfer) from radius generated data

True, at least juniper e-series BRASes don't send radius accounting
for atm rfc1483/bridged connections for some reason.

>DHCP Cons

One more DHCP con is that if you have an ethernet transport network
from the DSLAM or FTTH access switch to your router that lumps together 
multiple customers in one VLAN, something along the way is probably
doing DHCP sniffing to set up routing. And you can be just about sure
that won't work with IPv6. VLAN-per-customer will work (and is a
really a great model, for all types of encapsulation)


More information about the NANOG mailing list