====== Integration with Radius server ====== {{indexmenu_n>2}} * [[dpi:bras_bng:radius_integration:radius_auth_server_integration:radius_auth_response]] * [[dpi:bras_bng:radius_integration:radius_auth_server_integration:radius_auth_response:radius_auth_access_accept]] * [[dpi:bras_bng:radius_integration:radius_auth_server_integration:radius_auth_response:radius_auth_access_reject]] * [[dpi:bras_bng:radius_integration:radius_auth_server_integration:radius_auth_coa]]
The fastPCRF sends Access-Request requests with the following attributes: User-Name = "94.158.56.38" User-Password = "VasExperts.FastDPI" Framed-IP-Address = 94.158.56.38 Acct-Session-Id = "001122334455667788" NAS-Port-Type = 5 (Virtual) NAS-Port = 0 NAS-Port-Id = "708" NAS-IP-Address = 192.168.0.40 Service-Type = 2 (Framed-User) Chargeable-User-Identity="some-login" VasExperts-Service-Type=0 Message-Authenticator = 0x655ad71144647dd842afd3b65b08d421 here: * ''User-Name'' – is the user IP address as a string. You can define what to be specified in the User-Name attribute, see below for details. * ''User-Password'' – is the password. The password is the same for all users. It is specified by the ''radius_user_password'' configuration option. Please, do not treat this field as a user password, it is the system password. * ''Framed-IP-Address'' – is the user IPv4 address. * ''Acct-Session-Id'' – is the accounting session identifier. * ''NAS-Port-Type'' – is set by the ''radius_attr_nas_port_type'' option value. The list of valid values is defined by RFC 2865. In this example, its value is set to 5 (Virtual). * ''NAS-Port'' – the VLAN tag value of the subscriber package; this attribute is added only for the VLANs * ''NAS-Port-Id'' – value of QinQ tags of the subscriber package in the format "outerVLAN/innerVLAN", for example, "34/123"; this attribute is added only for QinQ-networks * ''NAS-IP-Address'' – the IP address specified by the ''radius_attr_nas_ip_address'' configuration option. Typically, the NAS IP address is set to the IP address of the fastpcrf server. Alternatively, you can specify the ''radius_attr_nas_id'' configuration option (the NAS TextID) instead of the ''radius_attr_nas_ip_address''. In this case Access-Request will contain the NAS-Identifier attribute instead of NAS-IP-Address. * ''Service-Type'' – specified by the ''radius_attr_service_type'' configuration option. The full list of this attribute values can be found in the [[https://tools.ietf.org/html/rfc2865|RFC-2865]]. Service-Type=2 (Framed-User) is used in this example. * ''Chargeable-User-Identity'' (CUI) – specifies the user's login in case it is known to the fastdpi. If the login is not known the CUI attribute contains exactly one zero byte (nul CUI), it means that according to the [[https://tools.ietf.org/html/rfc4372|RFC-4372]] the NAS requests the radius server for the user login. The fastpcrf expects to receive in response the correct user login within the CUI attribute. * ''VasExperts-Service-Type''(VSA vendor-id=43823, attr-id=6) – type of an authorization request: 0 - L3-authorization, 1 - leasing DHCP-address + authorization, see the mode[[dpi:bras_bng:bras_l2_vlan:bras_l2_vlan_dhcp:bras_l2_vlan_dhcp_proxy|DHCP Radius proxy]] * ''Message-Authenticator'' – calculated attribute, see more details in [[https://tools.ietf.org/html/rfc2869|RFC-2869]]. If the ''radius_msg_auth_attr = 1'' (its recommended value) this attribute will be added to the Access-Request. {{anchor:ipv6}} == IPv6 == IPv6 authorization request slightly differs - instead of the Framed-IP-Address attribute, the request contains the following attributes: * ''Framed-IPv6-Prefix'' - IPv6 subnetwork prefix. Actually, authorization is applied to all the addresses with this prefix rather than to a particular IPv6 address. * ''Framed-IPv6-Address'' - IPv6 address. By default, this attribute specifies the prefix address, for example, for the 2001:1::1 address, the attribute value will be equal to 2001:1::. But if you set the value of the ''ipv6_native_framed_address'' fastpcrf.conf parameter to 1, then the value of ''Framed-IPv6-Address'' attribute will be presented by full IPv6 address, which is 2001:1::1 for the example above. Remember that specifying the ''ipv6_native_framed_address=1'' does not mean the VAS Experts DPI will authorize //each// IPv6 address, - it is not the case, it still would treat IPv6 authorization as subscriber subnetwork authorization. For example, if there are incoming packets from 2001:1::1 and 2001:1::ab subscribers respectively, then only one of those addresses will be put to the authorization, while parameters obtained in the result of authentification will be applied to all the addresses within the 2001:1::/64 subnetwork. {{anchor:radius_user_name_auth}} == User-Name attribute value == As a User-Name the following entities can be used: * the subscriber login (it is not always known to the VAS Experts DPI); * the subscriber IP address (it is always known); * Q-in-Q tags (for the QinQ networks, "vlan-per-user"). Since version VAS Experts DPI 7.4 ''radius_user_name_auth'' in the fastpcrf.conf specifies the value of the User-Name attribute in order of preference: * ''login'' – to use the user login * ''ip'' – to use the subscriber IP address * ''qinq'' – to use the QinQ tag using the "outerVLAN.innerVLAN" format; for example, "101.205" The example: # Put a QinQ-tag in the User-Name attribute, if it is not used – put the subscriber login instead, otherwise put therein the IP-address radius_user_name_auth=qinq,login,ip The default value: ''radius_user_name_auth=login,ip,qinq'' [[dpi:bras_bng:radius_integration:radius_auth_server_integration:radius_auth_response|Response attributes]]