Abstract: A first device may establish a connection with a second device, and may provide a connection check RPC message to the second device. The first device may receive a verification RPC message from the second device, and may provide, to the second device, a sync domains RPC request that includes a first list of active domains with associated address pools. The first device may receive, from the second device, a sync domains RPC response that includes threshold values for the active domains included in the first list of active domains, and may provide, to the second device, a sync pools RPC request that includes a first list of address pools associated with the active domains. The first device may receive, from the second device, a sync pools RPC response that includes confirmation of the first list of address pools, and may allocate addresses of an address pool to a CPE.

Abstract: A first device may establish a connection with a second device, and may provide a connection check RPC message to the second device. The first device may receive a verification RPC message from the second device, and may provide, to the second device, a sync domains RPC request that includes a first list of active domains with associated address pools. The first device may receive, from the second device, a sync domains RPC response that includes threshold values for the active domains included in the first list of active domains, and may provide, to the second device, a sync pools RPC request that includes a first list of address pools associated with the active domains. The first device may receive, from the second device, a sync pools RPC response that includes confirmation of the first list of address pools, and may allocate addresses of an address pool to a CPE.

Abstract: In general, techniques are described for supporting bulk delivery of change of authorization data in authentication, authorization, and accounting (AAA) protocols, where delivery is performed as a change of authorization after a subscriber has successfully authenticated and initially authorized. In one example, the techniques are directed to a method including determining, by a RADIUS server for a service provider network, change of authorization data for services to which the subscriber of the service provider network has subscribed. The method further includes generating, by the RADIUS server, RADIUS messages that form a transaction between the RADIUS server and a network access server acting as a RADIUS client. The RADIUS messages provide all of the change of authorization data to the network access server prior to the network access server provisioning the services. The method further includes outputting, by the RADIUS server, the RADIUS messages to the network access server.

Abstract: In general, techniques are described for supporting bulk delivery of change of authorization data in authentication, authorization, and accounting (AAA) protocols, where delivery is performed as a change of authorization after a subscriber has successfully authenticated and initially authorized. In one example, the techniques are directed to a method including determining, by a RADIUS server for a service provider network, change of authorization data for services to which the subscriber of the service provider network has subscribed. The method further includes generating, by the RADIUS server, RADIUS messages that form a transaction between the RADIUS server and a network access server acting as a RADIUS client. The RADIUS messages provide all of the change of authorization data to the network access server prior to the network access server provisioning the services. The method further includes outputting, by the RADIUS server, the RADIUS messages to the network access server.

Abstract: In general, techniques are described for supporting bulk delivery of change of authorization data in authentication, authorization, and accounting (AAA) protocols, where delivery is performed as a change of authorization after a subscriber has successfully authenticated and initially authorized. In one example, the techniques are directed to a method including determining, by a RADIUS server for a service provider network, change of authorization data for services to which the subscriber of the service provider network has subscribed. The method further includes generating, by the RADIUS server, RADIUS messages that form a transaction between the RADIUS server and a network access server acting as a RADIUS client. The RADIUS messages provide all of the change of authorization data to the network access server prior to the network access server provisioning the services. The method further includes outputting, by the RADIUS server, the RADIUS messages to the network access server.

Abstract: In general, techniques are described for supporting bulk delivery of change of authorization data in authentication, authorization, and accounting (AAA) protocols, where delivery is performed as a change of authorization after a subscriber has successfully authenticated and initially authorized. In one example, the techniques are directed to a method including determining, by a RADIUS server for a service provider network, change of authorization data for services to which the subscriber of the service provider network has subscribed. The method further includes generating, by the RADIUS server, RADIUS messages that form a transaction between the RADIUS server and a network access server acting as a RADIUS client. The RADIUS messages provide all of the change of authorization data to the network access server prior to the network access server provisioning the services. The method further includes outputting, by the RADIUS server, the RADIUS messages to the network access server.

Abstract: In general, techniques are described for supporting bulk delivery of change of authorization data in authentication, authorization, and accounting (AAA) protocols, where delivery is performed as a change of authorization after a subscriber has successfully authenticated and initially authorized. In one example, the techniques are directed to a method including determining, by a RADIUS server for a service provider network, change of authorization data for services to which the subscriber of the service provider network has subscribed. The method further includes generating, by the RADIUS server, RADIUS messages that form a transaction between the RADIUS server and a network access server acting as a RADIUS client. The RADIUS messages provide all of the change of authorization data to the network access server prior to the network access server provisioning the services. The method further includes outputting, by the RADIUS server, the RADIUS messages to the network access server.

Abstract: In general, techniques are described for supporting bulk delivery of change of authorization data in authentication, authorization, and accounting (AAA) protocols, where delivery is performed as a change of authorization after a subscriber has successfully authenticated and initially authorized. In one example, the techniques are directed to a method including determining, by a RADIUS server for a service provider network, change of authorization data for services to which the subscriber of the service provider network has subscribed. The method further includes generating, by the RADIUS server, RADIUS messages that form a transaction between the RADIUS server and a network access server acting as a RADIUS client. The RADIUS messages provide all of the change of authorization data to the network access server prior to the network access server provisioning the services. The method further includes outputting, by the RADIUS server, the RADIUS messages to the network access server.

Abstract: An example network access device (NAD) includes a network interface to send and receive packets with an authentication, authorization, and accounting (AAA) server, and a subscriber management service unit (SMSU). The SMSU is configured to, responsive to determining that the AAA server is not reachable by the NAD, send a message from the NAD to the AAA server using the network interface, wherein the message directs the AAA server to send a discovery request message to the NAD, receive the discovery request message from the AAA server using the network interface, wherein the discovery request message includes a request for information about a plurality of subscriber sessions, and generate a discovery response message that includes information about at least a portion of the plurality of subscriber sessions, and send the discovery response message to the network access device using the network interface.

Abstract: A computer-implemented method for managing access to services provided by wireline service providers may include (1) receiving at least one request from a subscriber device to authorize access to at least one service, (2) authenticating the subscriber device with an access gateway of a wireline service provider based at least in part on the request, (3) generating a unique session identifier that uniquely identifies the subscriber device during a service-access session, (4) delivering the unique session identifier to a management server of the wireline service provider to enable the management server to authenticate the subscriber device with at least one network device that provides the service based at least in part on the unique session identifier, and then (5) facilitating access by the subscriber device to the service provided by the network device during the service-access session. Various other systems, methods, and computer-readable media are also disclosed.

Abstract: An example network access device (NAD) includes a network interface to send and receive packets with an authentication, authorization, and accounting (AAA) server, and a subscriber management service unit (SMSU). The SMSU is configured to, responsive to determining that the AAA server is not reachable by the NAD, send a message from the NAD to the AAA server using the network interface, wherein the message directs the AAA server to send a discovery request message to the NAD, receive the discovery request message from the AAA server using the network interface, wherein the discovery request message includes a request for information about a plurality of subscriber sessions, and generate a discovery response message that includes information about at least a portion of the plurality of subscriber sessions, and send the discovery response message to the network access device using the network interface.

Abstract: An example network device includes network interfaces and a control unit that receives a network configuration request from a client device and sends a network configuration response to the client device.

Abstract: A method performed by a Dynamic Host Configuration Protocol (DHCP) server comprising receiving a DHCP DISCOVER message from a DHCP client; generating a challenge in response to the DHCP DISCOVER message; sending the challenge to an authentication device; receiving a first challenge response from the authentication device; generating a DHCP OFFER message; sending the challenge to the DHCP client in the DHCP OFFER message; receiving a DHCP REQUEST message that includes a second challenge response from the DHCP client; comparing the first challenge response with the second challenge response; and authenticating the DHCP client when the first challenge response and the second challenge response match.

Abstract: The invention is directed to techniques for initiating lawful intercept of packets associated with subscriber sessions on a network device of a service provider network based on identification triggers. A law enforcement agency may send an intercept request for a subscriber to an administration device of the service provider network. The administration device may then configure one or more identification triggers for the subscriber based on the intercept request. The techniques described herein initiate lawful intercept when one or more subscriber sessions on a network device match the one or more identification triggers. The techniques described herein include configuring trigger rules that include identification triggers for subscribers on a network device via a command line interface (CLI) of the network device. In addition, the techniques described herein include configuring identification triggers in a subscriber profile on an authentication device connected to a network device.

Abstract: An example network device includes network interfaces and a control unit that receives a network configuration request from a client device and sends a network configuration response to the client device.

Abstract: Techniques are described for load balancing subscriber sessions across tunnel termination devices. A network device is described, for example, that includes a tunneling module that load balances subscriber sessions across a plurality of tunnel termination devices based on weightings associated with the tunnel termination devices. The weightings may be assigned to the tunnel termination devices by a user, or may be calculated by the network device based on resource constraints associated with the tunnel termination devices. The network device may calculate the weightings, for example, based on a maximum number of subscriber sessions supported by each of the tunnel termination devices. As one example, the techniques may be applied to load balance Point-to-Point (PPP) subscriber sessions across L2TP Network Servers (LNSs).

Abstract: A method performed by a Dynamic Host Configuration Protocol (DHCP) server comprising receiving a DHCP DISCOVER message from a DHCP client; generating a challenge in response to the DHCP DISCOVER message; sending the challenge to an authentication device; receiving a first challenge response from the authentication device; generating a DHCP OFFER message; sending the challenge to the DHCP client in the DHCP OFFER message; receiving a DHCP REQUEST message that includes a second challenge response from the DHCP client; comparing the first challenge response with the second challenge response; and authenticating the DHCP client when the first challenge response and the second challenge response match.

Abstract: A device associated with the authentication of a user on a network, i.e., an “authentication device,” initiates lawful interception of network traffic associated with the user. The authentication device communicates with a network service device, such as an edge router, providing network access or other services to the user to enable and disable monitoring of the network user. The authentication device may issue intercept requests to the network service device upon authenticating the network user during login or at any time while the network user's session is in progress. Upon receiving an intercept request from the authentication device, the network service device mirrors data packets flowing to and from the network user for which interception has been designated. The mirrored packets are sent to an analyzer, which analyzes the packets and provides packet analysis information to a law enforcement agency.

Abstract: The invention is directed to techniques for initiating lawful intercept of packets associated with subscriber sessions on a network device of a service provider network based on identification triggers. A law enforcement agency may send an intercept request for a subscriber to an administration device of the service provider network. The administration device may then configure one or more identification triggers for the subscriber based on the intercept request. The techniques described herein initiate lawful intercept when one or more subscriber sessions on a network device match the one or more identification triggers. The techniques described herein include configuring trigger rules that include identification triggers for subscribers on a network device via a command line interface (CLI) of the network device. In addition, the techniques described herein include configuring identification triggers in a subscriber profile on an authentication device connected to a network device.

Abstract: Techniques are described for load balancing subscriber sessions across tunnel termination devices. A network device is described, for example, that includes a tunneling module that load balances subscriber sessions across a plurality of tunnel termination devices based on weightings associated with the tunnel termination devices. The weightings may be assigned to the tunnel termination devices by a user, or may be calculated by the network device based on resource constraints associated with the tunnel termination devices. The network device may calculate the weightings, for example, based on a maximum number of subscriber sessions supported by each of the tunnel termination devices. As one example, the techniques may be applied to load balance Point-to-Point (PPP) subscriber sessions across L2TP Network Servers (LNSs).