schoolSession 06

PPPoE, RADIUS, and the Invisible Infrastructure

Your phone feels powerful in your hand, but the real power sits in routers, fibre, and policy engines. Today we unpack how sessions are created, controlled, billed, monitored, and sometimes terminated.

DE
David Emiru Egwell
CTO - SprintUG Internet Limited
6
Parts
32K
MX80 Sessions
3
AAA Decisions
1
Truth: Infrastructure
tocSession Outline
history_eduPart 1

The Copper Era Never Really Died

Before fibre and Wi-Fi, internet access came through copper telephone lines. A modem dialed a number, two endpoints negotiated a protocol, and one session came alive. That protocol was PPP.

What changed over time was mostly the transport. Copper became fibre. Electrical signal became light. But the control logic stayed: identify the subscriber, authenticate, authorize service profile, account for usage.

Dial-Up Timeline (simplified) 1. PC modem dials ISP POP number 2. Link negotiation starts 3. PPP authentication runs 4. IP details assigned 5. User session tracked until disconnect
Teaching line: We did not replace the old logic. We modernized the road beneath it.

Why this matters in 2026

  • check_circleCustomer identity is still session-based, not device-brand based.
  • check_circleAuthentication still happens before useful internet is delivered.
  • check_circleBilling and policy still depend on account-linked state, not just a cable being plugged in.
hubPart 2

PPPoE: A Virtual Phone Call Over Ethernet

PPPoE solves one core ISP problem: how to create per-customer identity and control on a shared access network.

Discovery and Authentication in practice

Phase 1 - Discovery Customer ONU -> PADI (broadcast): "Any concentrator out there?" BNG -> PADO: "Yes, I am available" Customer -> PADR: "I choose you" BNG -> PADS: "Session confirmed" (example Session ID 0x00A3) Phase 2 - Authentication BNG -> RADIUS Access-Request (username + credential context) RADIUS -> Access-Accept or Access-Reject If Accept: return service attributes (IP, timeout, profile, policy) Phase 3 - Active Session Subscriber receives assigned parameters Traffic is now attributed, policed, and accounted per session

Authentication, broken down for new engineers

Authentication means proving identity. In network terms, it answers one question first: who is requesting access?

It helps to separate three terms that are often mixed together:

  • check_circleAuthentication: Who are you?
  • check_circleAuthorization: What are you allowed to use?
  • check_circleAccounting: What did you use, and for how long?
Real flow in our ISP context 1. Customer ONU starts PPPoE session setup. 2. BNG asks for identity (username and password context). 3. BNG forwards that request to RADIUS (ICON). 4. ICON checks subscriber record: - username exists - credential matches - account state is valid 5. ICON replies: - Access-Accept, or - Access-Reject 6. If accepted, the session gets policy (IP, speed profile, timeouts). 7. If rejected, no working subscriber session is created.
Simple analogy: Authentication is showing your ID at the gate. Authorization is what areas your badge unlocks. Accounting is the gate log that records when you entered and left.

What new engineers should not assume

  • check_circlePassing authentication is not the whole story. A user can be valid but suspended by billing policy.
  • check_circleAuthentication is not encryption. Identity proof and traffic privacy are different functions.
  • check_circleNo authentication means no controlled service. The network will not attach full subscriber policy.

Your device is a terminal

Irene's phone, Dennis' laptop, Ibrahim's tablet, Msabi's desktop. Different screens, same truth. These are terminals requesting service from infrastructure they do not own.

"

The glamour is in the gadget. The control is in the network. We run the network.

David Emiru Egwell
routerPart 3

Juniper MX80 and Subscriber Visibility

Our Juniper MX80 acts as BNG: it terminates PPPoE sessions and enforces subscriber-level behavior. It does not "feel" a customer. It tracks a structured record.

MX80 Subscriber Capacity Snapshot Platform scale: ~32,000 concurrent PPPoE sessions Per-interface planning limit: ~4,000 sessions Per-session controls: - session ID - framed IP - policy profile - ingress/egress counters - timeout and accounting lifecycle

What PRTG sees

PRTG consumes counters over SNMP. To PRTG, a person is represented as session-linked telemetry: throughput, loss, latency, uptime, error counters.

MetricExampleOperational Meaning
Input Rate23.4 MbpsCurrent downstream usage relative to plan.
Output Rate4.1 MbpsCurrent upstream behavior and burst profile.
Session Uptime08:00:00Stability and churn clues.
Input Octets4.50 GB/dayBilling and traffic behavior baseline.
Latency to BNG2.4 msAccess-path quality before internet transit.
NOC advantage: Before a complaint call ends, telemetry can usually show if this is congestion, physical issue, policy cap, or remote destination slowdown.
verified_userPart 4

ICON RADIUS: Provisioning and Deprovisioning

ICON is where subscriber identity meets policy and billing. MX80 asks, ICON answers. This is AAA in action: Authentication, Authorization, Accounting.

Provisioning flow (Irene example)

ICON Subscriber Record Username: irene.chalya@sprinttz.co.tz Plan: Sprint Gold 50M/25M Status: ACTIVE IP pool: RESIDENTIAL_POOL_TZ Attributes to return: - Framed-IP-Address (dynamic from pool) - Session-Timeout - Idle-Timeout - Class / service profile Runtime sequence 1. ONU boots and starts PPPoE discovery 2. MX80 opens Access-Request toward ICON 3. ICON validates credentials and account state 4. ICON returns Access-Accept + attributes 5. MX80 installs session and enforces profile

Deprovisioning flow

When status changes to SUSPENDED: ICON can trigger disconnect by session context. MX80 tears down active PPPoE session. Assigned IP returns to pool. Next reconnect attempt receives Access-Reject. Observed impact time: typically a few seconds.

From the customer side this looks like "internet stopped." From operations side it is deterministic policy enforcement across AAA and BNG state machines.

publicPart 5

VPN Reality, Legal Context, and Sales Messaging

This section intentionally includes non-engineering language because our sales team and customer-facing staff need accurate, consistent responses.

What a VPN does and does not do

Without VPN: Device -> SprintTZ -> Destination service With VPN: Device -> Encrypted tunnel -> VPN endpoint -> Destination service ISP can still see: - active session identity - tunnel endpoint destination - timing and volume metadata ISP cannot inspect encrypted application payload in transit.
  • check_circleVPN improves privacy of content against intermediary inspection.
  • check_circleVPN does not erase account identity from access-network records.
  • check_circleVPN shifts trust toward the VPN operator handling decrypted traffic.
  • check_circleVPN does not invalidate legal process in any operating jurisdiction.

Sales-safe response script

Customer asks: "Do you spy on me?"
Recommended answer: "We do not inspect your private content for business curiosity. We operate licensed infrastructure, monitor service quality, and comply with lawful regulatory requests as required by law."
Customer asks: "I use VPN so I am invisible."
Recommended answer: "A VPN protects content in transit. It does not remove your account session from network records, and it does not remove legal accountability."

TRA alignment

SprintUG operates under Tanzania's regulatory framework. Operationally this means lawful requests for subscriber/session records must be handled through approved compliance procedures.

fact_checkPart 6

Session Summary and Key Terms

TopicCore Lesson
PPP legacyOld session logic still governs modern broadband control.
PPPoEBuilds per-subscriber state on shared Ethernet/fibre access.
MX80 BNGTerminates sessions, applies policy, tracks accounting at scale.
ICON RADIUSCentral authority for who connects, at what speed, and for how long.
PRTGTurns subscriber counters into real-time operational visibility.
VPN and compliancePayload privacy improves, but session accountability remains.
TermDefinition
PPPPoint-to-Point Protocol, classic dial-up session protocol.
PPPoEPPP over Ethernet for broadband subscriber sessions.
RADIUSAAA protocol: Authentication, Authorization, Accounting.
BNGBroadband Network Gateway terminating subscriber access sessions.
NASNetwork Access Server forwarding auth requests to AAA backend.
ONUCustomer-premises optical network unit.
Session IDUnique identifier for a live PPPoE subscriber session.
TRATanzania Communications Regulatory Authority.
"

The internet is not magic. It is policy, physics, and accountability working together at machine speed.

SprintTZ Knowledge Share - Session 06