On Thu, 29 Oct 2009, Frank Bulk - iName.com wrote:
Others commented on things I already had in mind only the username/password
thing of PPPoE.  We use the same username/pw on the modem as the customer
users for their e-mail, so a password change necessitates a truck roll (I
know, I know, TR-069).  We started with PPPoE for our FTTH, because we were
familiar with it, but we moved over to a "VLAN per service" model which ends
up something like RBE in function.  We can track customers based on the
Option 82 info, so we're good to go in terms of tracking them.
You can have a "network username/password" for the customer different
from the mail and other application-layer username/password. Some ISPs did that in the dial-up days, and also with PPPOx. The network account information is configured in the dialer or router/modem; and most users never need to know the network-layer stuff. The user can change their mail/application password (and use it for off-network access) without affecting their network-layer pasword.
The same network account may have multiple mail/application accounts 
associated with it. It also helps in the debate whether you store 
unreversable passwords or cleartext passwords for things like CHAP/PAP; 
need to split accounts because people change households; network 
re-architecture moves circuits around or users move and re-associating 
the connections with the correct accounts.  Yep, I sometimes found two 
households with swapped VPI/VCI, VLAN or PORT identifiers because 
someone/something made a data entry or circuit termination mistake.
I like a combination of 802.1x and Option 82 as way of cross-checking, 
and layer 2/3 anti-spoof protection.  I also like handling network things 
mostly at the network/hardware level, separate from the application layer 
identity so the user changes aren't affected.
But there are almost always multiple ways to solve a problem.

Reply via email to