File and Variable Reference

1. Core Files

  • sites-available/gpon Purpose: The main virtual server definition for GPON requests. Hooks the request up to the authentication, authorization, accounting, and post-auth modules.

  • policy.d/gpon_auth_policy Purpose: The main authentication policy module for GPON. Responsible for parsing and validating the username string and retrieving the plaintext password from the database.

  • policy.d/barred_user_policy Purpose: Blocks users whose Barring-Status is marked as restricted by the backend systems.

  • policy.d/max_session_policy Purpose: Prevents simultaneous login sessions based on the user’s explicit profile rules.

2. Variable Reference Matrix

To logically trace the authorization stream, here are the key variables assigned and read during the GPON process:

2.1. User-Name

  • Purpose: Identifies the incoming client from the network hardware.

  • Dependency Tree:

    1. Sent by the client equipment (request:User-Name).

    2. Evaluated and sanitized by gpon_auth_policy (rejects spaces, multiple dots, and empty strings).

    3. Modifies the internal variable Tmp-String-0 = User-Name.

    4. Extracted into Tmp-String-1 by taking all characters before the @.

    5. The last 9 digits of Tmp-String-1 are appended to the prefix 94.

    6. Final canonical User-Name is rewritten into the request for Database lookup.

    7. In post-auth, reply:User-Name and session-state:User-Name are stripped to prevent leakage to the edge.

2.2. CHAP-Password

  • Purpose: The cryptographic challenge response submitted by the client.

  • Dependency Tree:

    1. Ingested from the client request.

    2. Checked for presence in gpon_auth_policy.

    3. Evaluated in the authenticate block using Auth-Type CHAP.

2.3. control:Cleartext-Password

  • Purpose: The plaintext password stored in the central AAA database.

  • Dependency Tree:

    1. Fetched from the SQL/Redis backend via gpon_sql module inside gpon_auth_policy.

    2. If missing or null, the request is rejected with User not found..

    3. Otherwise, passed to the CHAP module to reconstruct the challenge and verify the CHAP-Password.

2.4. control:Barring-Status

  • Purpose: Flags if an account is suspended or blocked.

  • Dependency Tree:

    1. Retrieved from the database user profile associated with the user.

    2. Evaluated in barred_user_policy during post-auth.

    3. If value != 0, issues reject explicitly.

2.5. control:Simultaneous-Session-Status

  • Purpose: Determines if the account has exceeded active simultaneous sessions.

  • Dependency Tree:

    1. Inherited from the session registry tables via SQL lookup.

    2. Evaluated in max_session_policy.

    3. If value != 1, rejects with limit hit flag.