GPON Authentication Overview

1. Introduction

The GPON Authentication module provides AAA (Authentication, Authorization, and Accounting) services for GPON (Gigabit Passive Optical Network) broadband users. The configuration uses FreeRADIUS to intercept incoming access requests from users, sanitize and validate the credentials, and proxy the validation to a backend database (SQL or Redis) for the final accept/reject decision.

2. Key Objectives

  • Provide robust, high-performance authentication for GPON subscribers.

  • Enforce strict username and password format constraints to prevent injection and malformed requests.

  • Validate simultaneous sessions to prevent abuse.

  • Ensure barred users blockages are strictly enforced at the post-authentication stage.

3. Workflow Summary

  1. The GPON network equipment (BNG/BRAS) sends a RADIUS Access-Request.

  2. The Radius server captures the request at the main entry site (sites-available/gpon).

  3. The server runs pre-checks (validating spacing, dot formatting, and realms).

  4. Extract the canonical user identifier (94-prefixed number).

  5. Pass the sanitized request to the database.

  6. Return Access-Accept or Access-Reject based on retrieved Cleartext-Password.

  7. Apply post-authentication bounds (Max sessions, Barring status).