PPPoE, RADIUS and B-RAS/BNG for ISPs

The core of an ISP is where the subscriber authenticates. Misconfigured PPPoE means subscriber drops, RADIUS rejections and ERP that does not talk to the router. We solve it end to end.

What is B-RAS and why it matters

The B-RAS (Broadband Remote Access Server) is the equipment where subscriber PPPoE sessions terminate. It receives the username and password, queries the RADIUS, applies the speed profile and assigns the IP. When the B-RAS is misconfigured, everything behind it suffers: slow authentication, sessions that drop without reason, subscribers without an IP or with the wrong IP.

BNG (Broadband Network Gateway) is the more modern name for the same role — used mainly when the equipment also handles edge routing, CGNAT and QoS control all in the same chassis.

Equipment we work with

Each platform has its own PPPoE, RADIUS and QoS logic. Knowing the differences avoids configuring Huawei as if it were Juniper — and vice versa.

  • Huawei NE8000 / NE40E / NE40X — high-performance platforms for mid-size and large ISPs. VRP. Full support for dual-stack PPPoE, integrated CGNAT and BNG.
  • Juniper MX — JUNOS. Very granular QoS control and queue hierarchy. Common in ISPs that also operate regional backbone.
  • Cisco ASR 1000 / IOS XR — present in legacy networks and large-scale integrations. We handle migration and coexistence.
  • MikroTik CHR / CCR2116 — a valid solution for ISPs with up to 800–1,200 PPPoE subscribers with broad IPv6. RouterOS. Much lower hardware cost. The real limit is in concurrent session state capacity and CGNAT throughput.

RADIUS integration with ERP

RADIUS is not an island. It needs to communicate with the ISP's ERP to know whether the subscriber is in good standing, which plan is active and whether a fixed IP is assigned. Different ERPs implement this integration in different ways — and some have known bugs that cause silent authentication failures.

  • Integration with MK-Auth, IXC Telecom, SGP, Voalle and custom ERPs
  • RADIUS attribute configuration per ERP: Rate-Limit, Framed-IP-Address, Session-Timeout, Class
  • Vendor-Specific Attributes (VSA) for equipment that requires proprietary attributes (Huawei VSA, Juniper VSA, MikroTik VSA)
  • Integration testing: simulate Access-Request and verify Access-Accept with correct attributes

PPPoE authentication failure debugging

A subscriber who cannot connect may have: wrong password in the ERP, ERP blocked for non-payment, RADIUS returned Access-Reject for no clear reason, B-RAS cannot reach RADIUS, or the plan attribute returned is invalid for that equipment. Each case has a different cause.

  • Capture of Access-Request and Access-Reject/Accept on the RADIUS server with full attributes
  • Accounting verification (Start, Stop, Interim-Update) to confirm the session is being recorded
  • B-RAS log analysis (debug ppp, debug aaa) to identify at which step the session fails
  • Identification of shared secret, timeout or shared-secret problems across multiple B-RAS

Vendor-Specific Attributes and plan control

Standard RADIUS Rate-Limit (via Framed-IP, Class and similar) does not always work on all equipment. Huawei, Juniper and MikroTik have proprietary VSAs for speed, QoS and policy control. Using the wrong attribute results in a subscriber with no shaping or shaping different from their plan.

  • Mapping of correct VSAs per vendor and firmware/software version
  • Plan profile configuration in the ERP to return the right attributes per equipment
  • Validation that the shaping applied at the B-RAS matches the plan registered in the ERP

Evolving from MikroTik to a dedicated B-RAS

MikroTik CCR2116 with broad IPv6 handles up to 800–1,200 PPPoE subscribers well. Above that, the real limit shows up under peak load: concurrent session state, CGNAT and forwarding throughput. Migration to Huawei NE or Juniper MX must be planned before reaching that limit — migrating in crisis is more expensive and riskier.

  • Current load analysis on the CCR: forwarding CPU, session RAM, packets per second
  • Growth projection to identify when the limit becomes a real problem
  • Migration planning: keep MikroTik in parallel as fallback during the transition
  • Configuration migration: IP pools, plan profiles, RADIUS integration, CGNAT

How we work and how to get started

We work on a monthly plan — no one-off projects and no hourly-rate diagnostics. The first conversation is at no cost: we call, you share an AnyDesk session and show us the B-RAS and RADIUS live while we share observations. If it makes sense for both sides, we close the monthly plan and go from there. Full admin access from the start — we need it to work effectively.

Talk to us — initial conversation, no commitment. See also: BGP for ISPs, CGNAT, IPv6.

FREQUENTLY ASKED QUESTIONS

How does the work start with you?

The first conversation is at no cost. You reach out, we call, you open an AnyDesk session and show us the B-RAS and RADIUS live. We share observations on the configuration, attributes and what is causing the problem. If it makes sense for both sides, we close the monthly plan and start the following week.

Do you charge a setup or onboarding fee?

No. The monthly plan covers everything: initial configuration, adjustments, monitoring and continuous support.

How long does it take to resolve a PPPoE authentication problem?

Simple problems — wrong password, missing attribute, incorrect shared secret — are resolved in minutes with access to the RADIUS and the B-RAS. More complex problems involving interaction between ERP, RADIUS and multiple B-RAS devices may take a few hours of analysis. In no case do we leave the subscriber offline while we investigate — we isolate the problem without affecting connected users.