As broadband connectivity continues to serve as a backbone of modern digital infrastructure, the mechanisms that enable secure and efficient access are more important than ever. Whether delivered over copper lines (xDSL), high-speed fiber networks (FTTH) or a mixture of both, fixed-line internet services rely on a well-orchestrated authentication and provisioning system to ensure that subscribers are correctly identified, authorized, and serviced.
In this post, we’ll break down the high-level architecture of fixed-line networks and identify the key software components and their responsibilities.
Fixed-Line Authentication: A High-Level View
Both Asymmetric Digital Subscriber Line (xDSL) and Optical fibre networks share a similar back-end architecture when it comes to authentication and user management. While the access technologies differ — xDSL using DSLAMs and FTTH using Optical Line Terminals (OLTs) — the authentication flow typically follows these core stages:
1. User Initiation via CPE
When a user powers on their home router or modem, known as the Customer Premises Equipment (CPE), it initiates a connection to the broadband provider’s access network. The CPE is typically configured to use PPP over Ethernet (PPPoE) or IPoE (IP over Ethernet) with DHCP for session establishment.
2. Access Aggregation
From the CPE, traffic is routed through aggregation devices; digital subscriber line access multiplexers (DSLAM) in xDSL networks and optical line terminals (OLT) in optical fibre networks.
These devices forward traffic to Broadband Network Gateways (BNGs), also known as Broadband Remote Access Servers (BRAS). The BNG is the first IP-level point of access for the user, and is responsible for IP address assignment either with a built-in or external DHCP server.
3. Authentication via AAA server
Once the session request reaches the BNG, it performs user authentication with the AAA server with the RADIUS protocol.
The BNG sends credentials (typically a circuit ID or other unique identifier, which are automatically sent from CPE) to a RADIUS server, which validates the connection and authorises it by setting line parameters from central subscriber database.
4. Provisioning and IP Assignment
Here is where user provisioning comes into play. User provisioning is typically done by the Subscriber Management System (SMS) or more broadly, the OSS/BSS (Operations Support System / Business Support System). This is the software layer responsible for:
- User creation and activation
- Service profile assignment (e.g., bandwidth, VLAN tags)
- Authentication credential management (integration with subscriber database)
- Customer lifecycle management (e.g., suspension, upgrades, disconnection)
The OSS/BSS typically interfaces with the subscriber database, where the provisioned user information is stored for authentication and authorisation. Modern systems may use automation platforms like Ansible, NetConf, or TR-069 for zero-touch provisioning of CPE devices, especially in FTTH environments.
Summary of Core Software Components
| Component | Role |
|---|---|
| CPE | Initiates session; endpoint for the user |
| BNG/BRAS | Handles session control and IP management with DHCP / RADIUS server |
| RADIUS server | Authenticates and authorizes user sessions against a subscriber database |
| DHCP server | Assigns IP addresses (can be built-in into BNG) |
| Subscriber management system (OSS/BSS) | Central provisioning engine for user services, integrates with subscriber database |
Looking to deploy a fixed-line network?
Radiator Software offers commercially supported ISP-grade RADIUS servers for all types of fixed-line networks. Whether a greenfield deployment or a migration from existing AAA server setup, Radiator is the product for you.For more details, please e-mail us sales@radiatorsoftware.com
