{{tag>Services "Service 9" "RADIUS accounting" "Netflow collection for billing"}}
====== Accounting — traffic accounting (Service 9)======
{{indexmenu_n>3}}

FastPCRF supports RADIUS accounting. FastDPI processes subscriber traffic and generates NetFlow statistics, which are forwarded to FastPCRF. FastPCRF then aggregates the data, converts it into the RADIUS Accounting format, and sends it to the RADIUS server.

To enable RADIUS accounting in **''/etc/dpi/fastdpi.conf''**, set the following parameters:
  * Enable accounting:<code bash>enable_acct=1</code>
  * Enable Netflow statistics for billing:<code bash>
# Subscriber billing statistics
netflow=4
# Statistics transmission timeout
netflow_timeout=60</code>

<note important>Data on traffic volume is transmitted to the billing system via the RADIUS Accounting protocol through fastPCRF, rather than directly via Netflow.\\
The ''netflow'' parameter is a bit mask and can take combined values. For example, to enable both accounting and full statistics (8) simultaneously, you must specify ''netflow=12''.</note>

  * Enable local user authentication:<code bash>enable_auth=1</code> 
  * Assign service 9 (statistics export for billing) to the subscriber. The Access-Request response must include the following attribute: <code>VasExperts-Enable-Service="9:on"</code>

<note important>
**For DHCP authentication:** IPv4 and IPv6 traffic are accounted for in separate sessions. If a subscriber has both an IPv4 address and an IPv6 prefix, two independent accounting sessions are created.\\
**For PPPoE:** when IPv4 and IPv6 addresses are assigned within a single RADIUS request, accounting is performed in a single session.
</note>


===== Additional Settings =====

When fastPCRF starts up, it sends an Accounting-Request to the RADIUS server with the attribute ''Acct-Status-Type=Accounting-On'', and when it shuts down, it sends ''Accounting-Off''. These requests include NAS attributes that identify the server and ''Acct-Session-Id=0''. A similar Accounting-On request is sent when switching to a backup RADIUS server.

Some billing systems require synchronization of the authorization and accounting processes: the current accounting session must be properly terminated before sending an Access Request. To enable this mode, use the following parameter:
<code bash>
acct_auth_sync=1
</code>

When synchronization is enabled, a check is performed to verify whether an active accounting session exists for the subscriber's IP address before sending the Access-Request. If a session exists, an Acct-Stop is sent, confirmation is awaited, and then authorization is performed.

Additionally, you can specify a delay between the Acct-Stop confirmation and the sending of the Access-Request:
<code bash>
acct_auth_sync_delay=0
</code>
The value is specified in seconds. This is used to account for processing delays in the billing system.

You can configure how traffic directions are interpreted. By default:
  * Incoming traffic — from the network to the subscriber;
  * Outgoing traffic — from the subscriber to the network.

To change the direction, use the following setting:
<code bash>
acct_swap_dir=0
</code>
  * 0 — no change;
  * 1 — reverse the direction.

===== Rating Group =====

A Rating Group (RG) is used to break down subscriber traffic accounting in RADIUS Accounting. RGs can only be used if Service 9 (statistics export for billing) is enabled.

==== Configuring RG in fastDPI ====

RG storage and processing settings:

  * Number of groups: <code bash>rating_group_count=0</code> Default value: 0 — RG disabled.
  * Maximum number of subscribers with RG: <code bash>rating_group_max_subs=0</code> Default value: 0 — RG disabled.

The RG storage is initialized only if billing statistics are enabled.

The amount of memory required to store RG statistics is calculated using the following formula:
<code bash>
memory_required = 32 * rating_group_count * rating_group_max_subs * num_thread
</code>
where:
  * ''32'' — the size of counters per group (in bytes);
  * ''rating_group_count'' — the number of groups;
  * ''rating_group_max_subs'' — the maximum number of subscribers;
  * ''num_thread'' — the number of processing threads.

Sample calculation for 10,000 subscribers, 256 rating groups, and 8 processing threads—625 MB of memory is required:
<code bash>
rating_group_count = 256
rating_group_max_subs = 10000
num_thread = 8
memory_required = 32 * 256 * 10000 * 8 = 625M
</code>

<note important>Under heavy load, the flow of accounting data from fastDPI may exceed the processing capacity of fastPCRF. In this case, the network stack must be tuned.</note>

{{anchor:acct-pending-queue}}

==== Transmission of RG Statistics to RADIUS Accounting ====

RG statistics are transmitted in separate Interim-Update packets. Only data for non-zero RGs is transmitted.\\
Due to the RADIUS packet size limit (4096 bytes), RG data may be split across multiple Interim-Update packets.

A new VSA, ''VasExperts-Acct-Type'' (id=28, vendor=43823, integer), is used to identify the packet type, with the following values:
  * ''0'' — standard Interim Update Accounting;
  * ''1'' — RG data.

Each RG and its counters are transmitted in a **single** VSA with the following attributes:
  * VasExperts-Acct-Rating-Group (short, 16-bit) — RG number;
  * VasExperts-Acct-Input-Octets-64;
  * VasExperts-Acct-Output-Octets-64;
  * VasExperts-Acct-Input-Packets-64;
  * VasExperts-Acct-Output-Packets-64.

Packet and byte counters for each direction are output according to the <code>acct_swap_dir</code> option (as in Accounting).

Features of RG transmission:
  * RGs are optional; if the subscriber does not have an RG, the data is not transmitted;
  * if RADIUS does not acknowledge receipt of the RG packet, it is not resent—the latest data will be sent in the next Interim-Update;
  * if the subscriber has RG statistics, the current RG data is sent before sending the Acct-Stop session.

==== Setting the RG During Subscriber Authentication ====

The RG is set at the subscriber level during authentication via a special service profile 9 named 'RG':
<code bash>
VasExperts-Service-Profile :="9:RG"
</code>

RG statistics can only be collected if Service 9 (bill stat) is enabled. If Service 9 is disabled, RG is also disabled.

Examples:
  * Service 9 enabled, RG disabled (standard RADIUS Accounting): <code bash>VasExperts-Enable-Service :="9:on"</code>
  * Service 9 enabled, RG enabled (RG data transmission): <code bash>VasExperts-Service-Profile :="9:RG"</code>
  * Service 9 disabled, RG disabled (RADIUS Accounting not sent): <code bash>VasExperts-Enable-Service :="9:off"</code>

===== Internal Structure =====
{{anchor:internals}}

The accounting database is stored in fastPCRF and runs in memory. It has a two-level structure:
  * raw level — storage of raw data by IP address;
  * aggregation level — grouping of data into accounting sessions.

The CLI allows you to:
  * manage sessions (start/stop);
  * view status and statistics.

<note important>When fastPCRF is restarted or stopped, all current accounting sessions are deleted.</note>

<note important>When fastDPI is restarted, the traffic counters are reset. Upon startup, an Accounting-On command is sent; upon shutdown, an Accounting-Off command is sent, along with the corresponding NAS attributes.</note>

===== Restarting fastDPI =====
{{anchor:fastdpi_restart}}

When fastDPI starts and stops, it sends accounting-on/accounting-off commands to fastPCRF, which are used to close the current sessions.

This behavior is controlled by the following parameter:
<code bash>
acct_fastdpi_session_stop=1</code>

Two modes are available:
  * 1 — When fastDPI starts or stops, an Acct-Stop is sent to all active sessions;
  * 0 — Only Accounting-On/Accounting-Off messages are sent, without individual Acct-Stop messages.

The mode that sends an Acct-Stop message ensures that sessions are terminated correctly, but places an increased load on the RADIUS server. The alternative mode reduces the load, but requires the source to be correctly identified based on NAS attributes.

For proper operation, you must:
  * Set unique ''attr_nas_ip'' and ''attr_nas_id'' values for each fastDPI;
  * Configure ''radius_attr_nas_ip_address'' and ''radius_attr_nas_id'' for fastPCRF.

RADIUS-side processing:
  * if the NAS attributes match fastDPI, sessions for that node are closed;
  * if fastPCRF, all active sessions are closed.

===== List of acct_stop_reason values =====
''acct_stop_reason_unspecified'' — reason not specified\\
''acct_stop_reason_user_request'' — termination initiated by the subscriber or upon creation of a new session\\
''acct_stop_reason_idle_timeout'' — inactivity timeout\\
''acct_stop_reason_session_expired'' — session timeout\\
''acct_stop_reason_admin_reset'' — termination at the administrator's request (CoA Disconnect-Request)\\
''acct_stop_reason_lost_service'' — service disconnection or DHCP-NAK\\
''acct_stop_reason_NAS_error'' — request error\\
''acct_stop_reason_double_secondary_key'' — secondary key conflict\\
''acct_stop_reason_coa_reauth'' — CoA reauth\\
''acct_stop_reason_callback'' — termination due to re-authorization\\
''acct_stop_reason_no_auth_response'' — no authorization response\\
''acct_stop_reason_NAS_switch'' — switch to another node\\
''acct_stop_reason_CoA_Disconnect'' — CoA disconnect\\

From fastPCRF:\\
''acct_stop_reason_source_reboot'' — fastDPI reboot detected\\
''acct_stop_reason_change_session_id'' — sessionId changed\\
''acct_stop_reason_transfer_session_id'' — session ID transferred\\
''acct_stop_reason_fastdpi_acct_on'' — Acct-On/Acct-Off received\\
''acct_stop_reason_suspended'' — session suspended due to RADIUS unavailability\\
''acct_stop_reason_ppp_changed_IPv6_prefix'' — IPv6 prefix changed\\
''acct_stop_reason_ppp_missing_IPv6_prefix'' — IPv6 prefix missing