Enterprise (ENT) Authentication Overview

Introduction

The Enterprise (ENT) module operates harmoniously alongside the LTE configurations. It manages complex AAA routing for enterprise lease line and corporate mobile broadband users. The configuration uses FreeRADIUS to differentiate between standard MSISDN-based logins and explicit corporate Username logins, executing distinct logic flows based on the profile format.

Key Objectives

  • Serve as the unified entry point for both LTE and ENT traffic, branching immediately based on APN strings (Called-Station-Id).

  • Differentiate between ENT1 (device-based, MSISDN) and ENT2 (identity-based, Username) authentication.

  • Manage complex IP allocations, handling conflicts between statically assigned DB IPs and dynamically requested Framed-Addresses from downstream routers (SMF/BNG).

  • Perform strict PAP validation against the SQL core.

Workflow Summary

  1. The radius server catches incoming requests on the shared ent_lte virtual server.

  2. The server analyzes the Called-Station-Id. If it lacks standard LTE APN names, it assumes Enterprise traffic and delegates to ent_auth_policy.

  3. The policy checks if the User-Name contains an @ sign snippet.

  4. If it has an @, it is tagged as ENT2 group. Else, it is tagged as ENT1 and the script forcefully concatenates Calling-Station-Id and Called-Station-Id to build an internal DB key.

  5. The ent_sql mechanism queries the DB.

  6. The framework executes pap matching.

  7. Address conflict resolution resolves any mismatch between Framed-Address coming from DB vs. Router.