FastPCRF installation and configuration

The Fastpcrf server application can be installed on the same server as the fastDPI or on another one.

We recommend moving the fastPCRF process to a separate virtual machine for fault-tolerance and multi fastDPI management (BRAS).

The configuration is set in the file /etc/dpi/fastpcrf.conf. Minimal configuration:

   # For SSG 8.3+: two fastDPI servers work with one fastpcrf
fdpi_server=127.0.0.1%lo:29000;attr_nas_ip=10.20.30.40
fdpi_server=192.168.20.10%eth2:29000
 
   # For SSG up to version 8.3
#fdpi_server_list=127.0.0.1%lo:29000;192.168.20.10%eth2:29000
 
radius_server=secret@192.168.10.20%eth1:1812
radius_server=secret2@192.168.10.21%eth1:1812

Here:

• fdpi_server - [SSG 8.3+] specifies one fastdpi server. Each fastdpi server is described by a separate parameter. Format: fdpi_server=ip%dev:port[;name=value]*, where

ip - fastDPI server IP address;
dev - on which local interface to create a connection with fastDPI;
port - management port fastDPI (usually 29000)
name=value - additional attributes of this fastdpi server:
attr_nas_ip - IPv4 address for Radius attribute NAS-IP-Address; if not set, the fastdpi IP address is used (ip);
attr_nas_ipv6 - the value of the NAS-IPv6-Address Radius attribute for this fastdpi;
attr_nas_id - the value of the NAS-Identifier attribute for this fastdpi

• fdpi_server_list - [SSG prior to version 8.3] list of fastDPI servers served by this fastpcrf. You can specify up to 16 different servers.
Server job format: ip%dev:port, where:

ip - fastDPI server IP address,
dev - on which local interface to create a fastDPI connection,
port - control port fastDPI (usually 29000).

The control port must be the same in fastdpi.conf (parameter ctrl_port) and in fastpcrf.conf.

FastDPI only listens on the control port on the interface specified by the ctrl_dev parameter in the fastdpi.conf configuration file. If fastPCRF is being installed on a standalone server, the ctrl_dev parameter must be properly configured with an interface name other than lo for fastDPI and fastPCRF communication

• radius_server - specifies one radius server. Each radius server (usually two of them - main and backup) is specified in a separate radius_server parameter.
Format: secret@ip%dev:port where:

secret - Radius secret,
ip - Radius server IP address,
dev - name of the local interface on which to establish a connection,
port - Radius auth port. It is possible to specify up to 16 Radius servers, while the first one in the order of declaration in fastpcrf.conf is considered the main one, the rest are reserve ones.

A connection is created with only one radius server from the list, backup servers are activated only when the main one is unavailable.

fastpcrf.conf has many other configuration parameters related to fine-tuning the interaction with Radius servers.

Full list of options

After configuring, don't forget to enable fastPCRF autorun when starting the server with the command:

systemctl enable fastpcrf

Change settings on update

In SSG version 8.5+ attr_nas_id or attr_nas_ip respectively must be declared in the fdpi_server parameter for NAS-Identifier or NAS-IP-Address availability for the selected fastDPI server (even for only one).