PPP over Ethernet (PPPoE) session limits are downloaded from the RADIUS server when you enable SSS preauthorization on the LAC using the subscriber access pppoe pre-authorize nas-port-idcommand. By enabling preauthorization, you limit the number of PPPoE sessions on a specific VLAN; that is, the PPPoE per-NAS-port session limit downloaded from the RADIUS server takes precedence over locally configured (port-based) session limits, such as per-VLAN session limits. The following is a sample user profile to configure a session limit through RADIUS:
Password = "password1"
cisco-avpair= "pppoe:session-limit=session limit per NAS-port"
The PPPoE Session Limit Local Override feature enables the local session limit configured at the BRAS to override the per-NAS-port session limit configured at the RADIUS server when SSS preauthorization is configured.
The PPPoE Session Limit Local Override feature is useful only when you have configured SSS preauthorization on the BRAS or LAC.
To enable the PPPoE Session Limit Local Override feature, configure the sessions pre-auth limit ignore command under the broadband access (BBA) group associated with the interface. When the PPPoE Session Limit Local Override feature is enabled, the locally configured session limit is applied before PPP is started; that is before the BRAS sends out a PPPoE Active Discovery Offer (PADO) packet to the client, advertising a list of available services.
When preauthorization is configured without the PPPoE Session Limit Local Override feature enabled, the client receives an authentication failure response from the BRAS when there is no session limit downloaded from the RADIUS server and the locally configured session limit is exceeded. The BRAS waits to apply locally configured limits until PPP negotiation is completed. When a call is finally rejected, the client receives the authentication failure response, resulting in session failure, with no ability to distinguish whether the session failure results from a Challenge Handshake Authentication Protocol (CHAP) authentication failure or a PPPoE session limit having been exceeded. The PPPoE Session Limit Local Override feature allows for differentiation between the handling of per-NAS-port failures and session limiting failures.
If you enable the PPPoE Session Limit Local Override feature, but there are no locally configured per-port session limits, then per-NAS-port session limits downloaded from the RADIUS server are applied.