{{indexmenu_n>3}}
====== Local authorization configuration for all subscribers ======
This instruction is suitable for the following scenarios:
  - Authorization of a test subscriber as part of functional testing of BNG.
  - Subscriber authorization in case the primary RADIUS server is unavailable.

===== FreeRADIUS configuration =====
  - **Disabling EAP.** within this build, disabling is not strictly required, but EAP may cause errors when enabling the ''radiusd'' unit, so it is recommended to disable it. go to the directory ''/etc/raddb/sites-available/default
/etc/raddb/sites-enabled/inner-tunnel''\\ Disable EAP in the following sections:<code bash>
authorize {
 #  eap {
# ok = return
# updated = return
#  }
authenticate {
#  eap
post-proxy {
#  eap 
</code>If necessary, also remove EAP files from the modules ''/etc/raddb/mods-available/eap'' and ''/etc/raddb/mods-enabled/eap''.
  - **Client/NAS configuration.** clients here refer to RADIUS clients, in this case — fastPCRF.\\ If the FreeRADIUS server is deployed on the same node as fastPCRF, no additional configuration is required — it is enough to verify the default configuration in the file ''/etc/raddb/clients.conf''.\\ If a remote NAS needs to be defined, use the same file and add a client description, for example:<code bash>
client fastpcrf1 {
  ipaddr          = < IP >
  secret          = < SECRET >
  require_message_authenticator = yes
}</code>
  - **Subscriber authorization.** it is required to configure an Access-Accept template that will be generated by FreeRADIUS. to do this, add configuration to the file ''/etc/raddb/users'', explicitly allowing authorization of all requests regardless of attributes, username, or authorization type.<code bash>DEFAULT Auth-Type := Accept
      User-name = "%{User-name}",
      VasExperts-L2-User = 1,
      VasExperts-Policing-Profile = "rate_10M",
      VasExperts-Enable-Service = "9:on",
      Framed-Pool = "test-pool",
      Framed-IP-Address = "%{Framed-IP-Address}",
      Framed-IP-Netmask = "255.255.0.0
      VasExperts-DHCP-Gateway = "192.168.35.1",
      VasExperts-DHCP-DNS = "8.8.8.8",
      VasExperts-DHCP-DNS = "8.8.4.4"
</code>This template is suitable for all authorization types (DHCP, IPoE static L2, PPPoE). if the Framed-IP-Address attribute is absent in the Access-Request, FreeRADIUS sends Access-Accept with Framed-IP-Address = 0.0.0.0. fastPCRF ignores an attribute with this value, and IP address assignment is performed based on the Framed-Pool attribute. to allocate addresses from Framed-Pool, a local DHCP server must be installed and configured on the server. [[dpi:bras_bng:ip_pool|more details]]
  - **fastPCRF settings.** configure the RADIUS server. when using a standby server, specify it after the line with the primary ''radius_server''.<code bash>radius_server=secret@127.0.0.1%lo:1812;acct_port=1813</code>
  - **Verification.** first, check the FreeRADIUS configuration using the command ''radiusd –CX''.\\Then start RADIUS in debug mode using ''radiusd –X'' — all message processing will be shown in the CLI and errors will be clearly visible.\\Check authorization from the PCRF side in the file ''/var/log/dpi/fastpcrf_ap2.log''. if the system operates correctly, start FreeRADIUS in normal mode and enable autostart:<code bash>systemctl start radiusd
systemctl enable radiusd</code>

===== Access-Accept template variants for different authorization types (L3, DHCP, PPPoE) =====
In this implementation, all comparisons are performed within the file based on the presence of the corresponding attribute in the request.

For an L3 static client:
<code bash>
DEFAULT VasExperts-Service-Type == 0, Auth-Type := Accept
  User-name = "%{User-name}",
  VasExperts-L2-User = 1,
  VasExperts-Policing-Profile = "rate_10M",
  VasExperts-Enable-Service = "9:on",
  Framed-IP-Address = "%{Framed-IP-Address}",
  Framed-IP-Netmask = 255.255.255.0,
  VasExperts-DHCP-Gateway = "192.168.35.1",
  VasExperts-DHCP-DNS = "8.8.8.8",
  VasExperts-DHCP-DNS = "8.8.4.4",
  VasExperts-Service-Profile = "11:cg-nat",  
  Session-Timeout = 84600
</code> 
 
For a DHCP client:
<code bash>
DEFAULT VasExperts-Service-Type == 1, Auth-Type := Accept
  User-name = "%{User-name}",
  VasExperts-Policing-Profile = "rate_10M",
  VasExperts-Enable-Service = "9:on",
  Framed-Pool = "test-pool",
  VasExperts-Service-Profile = "11:cg-nat", 
  Session-Timeout = 84600
</code> 
 
For a PPPoE client:
<code bash>
DEFAULT VasExperts-Service-Type >= 2, Auth-Type := Accept
  User-name = "%{User-name}",
  VasExperts-Policing-Profile = "rate_10M",
  VasExperts-Enable-Service = "9:on",
  Framed-Pool = "test-pool",
  VasExperts-Service-Profile = "11:cg-nat", 
  Session-Timeout = 84600
</code>