Table of Contents

Local authorization configuration for all subscribers

This instruction is suitable for the following scenarios:

  1. Authorization of a test subscriber as part of functional testing of BNG.
  2. Subscriber authorization in case the primary RADIUS server is unavailable.

FreeRADIUS configuration

  1. Disabling EAP. within this build, disabling is not strictly required, but EAP may cause errors when enabling the radiusd unit, so it is recommended to disable it. go to the directory /etc/raddb/sites-available/default /etc/raddb/sites-enabled/inner-tunnel
    Disable EAP in the following sections:
    authorize {
 #  eap {
# ok = return
# updated = return
#  }
authenticate {
#  eap
post-proxy {
#  eap

    If necessary, also remove EAP files from the modules /etc/raddb/mods-available/eap and /etc/raddb/mods-enabled/eap.

  2. Client/NAS configuration. clients here refer to RADIUS clients, in this case — fastPCRF.
    If the FreeRADIUS server is deployed on the same node as fastPCRF, no additional configuration is required — it is enough to verify the default configuration in the file /etc/raddb/clients.conf.
    If a remote NAS needs to be defined, use the same file and add a client description, for example:
    client fastpcrf1 {
  ipaddr          = < IP >
  secret          = < SECRET >
  require_message_authenticator = yes
}
  3. Subscriber authorization. it is required to configure an Access-Accept template that will be generated by FreeRADIUS. to do this, add configuration to the file /etc/raddb/users, explicitly allowing authorization of all requests regardless of attributes, username, or authorization type.
    DEFAULT Auth-Type := Accept
      User-name = "%{User-name}",
      VasExperts-L2-User = 1,
      VasExperts-Policing-Profile = "rate_10M",
      VasExperts-Enable-Service = "9:on",
      Framed-Pool = "test-pool",
      Framed-IP-Address = "%{Framed-IP-Address}",
      Framed-IP-Netmask = "255.255.0.0
      VasExperts-DHCP-Gateway = "192.168.35.1",
      VasExperts-DHCP-DNS = "8.8.8.8",
      VasExperts-DHCP-DNS = "8.8.4.4"

    This template is suitable for all authorization types (DHCP, IPoE static L2, PPPoE). if the Framed-IP-Address attribute is absent in the Access-Request, FreeRADIUS sends Access-Accept with Framed-IP-Address = 0.0.0.0. fastPCRF ignores an attribute with this value, and IP address assignment is performed based on the Framed-Pool attribute. to allocate addresses from Framed-Pool, a local DHCP server must be installed and configured on the server. more details

  4. fastPCRF settings. configure the RADIUS server. when using a standby server, specify it after the line with the primary radius_server.
    radius_server=secret@127.0.0.1%lo:1812;acct_port=1813
  5. Verification. first, check the FreeRADIUS configuration using the command radiusd –CX.\\Then start RADIUS in debug mode using radiusd –X — all message processing will be shown in the CLI and errors will be clearly visible.\\Check authorization from the PCRF side in the file /var/log/dpi/fastpcrf_ap2.log. if the system operates correctly, start FreeRADIUS in normal mode and enable autostart:
    systemctl start radiusd
systemctl enable radiusd

Access-Accept template variants for different authorization types (L3, DHCP, PPPoE)

In this implementation, all comparisons are performed within the file based on the presence of the corresponding attribute in the request.

For an L3 static client: 

DEFAULT VasExperts-Service-Type == 0, Auth-Type := Accept
  User-name = "%{User-name}",
  VasExperts-L2-User = 1,
  VasExperts-Policing-Profile = "rate_10M",
  VasExperts-Enable-Service = "9:on",
  Framed-IP-Address = "%{Framed-IP-Address}",
  Framed-IP-Netmask = 255.255.255.0,
  VasExperts-DHCP-Gateway = "192.168.35.1",
  VasExperts-DHCP-DNS = "8.8.8.8",
  VasExperts-DHCP-DNS = "8.8.4.4",
  VasExperts-Service-Profile = "11:cg-nat",  
  Session-Timeout = 84600

For a DHCP client: 

DEFAULT VasExperts-Service-Type == 1, Auth-Type := Accept
  User-name = "%{User-name}",
  VasExperts-Policing-Profile = "rate_10M",
  VasExperts-Enable-Service = "9:on",
  Framed-Pool = "test-pool",
  VasExperts-Service-Profile = "11:cg-nat", 
  Session-Timeout = 84600

For a PPPoE client: 

DEFAULT VasExperts-Service-Type >= 2, Auth-Type := Accept
  User-name = "%{User-name}",
  VasExperts-Policing-Profile = "rate_10M",
  VasExperts-Enable-Service = "9:on",
  Framed-Pool = "test-pool",
  VasExperts-Service-Profile = "11:cg-nat", 
  Session-Timeout = 84600