Description and Configuration

FastRADIUS (RADIUS Event Monitor) is designed to create an IP-LOGIN binding in DPI in networks with dynamic IP address assignment based on RADIUS Accounting (Mapping IP-LOGIN).
FastRADIUS supports the following commands in FastDPI:

Support for subscribers with single IPv4 address and IPv6 subnet
Binding IP address to LOGIN:
```
fdpi_ctrl load --bind --user user_name:ip_address
```
Removing IP ↔ login binding:
```
fdpi_ctrl del --bind --login user_name
```
Support for subscribers with multiple IP
Binding IP address or IP block to LOGIN:
```
fdpi_ctrl load --bind_multi --user user_name:ip_address_or_block
```
Removing one of IPs bound to LOGIN:
```
fdpi_ctrl del --bind_multi --ip ip_address
```

It is also possible to assign CG-NAT (service 11) based on specified parameters.

Operation Schemes

Recommended Scheme: Receiving RADIUS Accounting Traffic on a Dedicated Linux Interface Not Connected to FastDPI

RADIUS Accounting is delivered to FastRADIUS on a standard Linux interface specified in the configuration file (in_dev) by mirroring existing RADIUS traffic or using a RADIUS proxy (e.g., FreeRADIUS). In this case, FastRADIUS only receives the mirror and does not respond to the RADIUS server. Interaction with standard Linux interfaces is handled via libpcap.

Minimum FastRADIUS Configuration

Settings are located in the file /etc/dpi/fdpi_radius.conf.

To apply the configuration, restart the service:

systemctl restart fastradius

in_dev=eth0 — name of the listening Linux interface
rad_acct_port=1813,1814,1815 — listening port number (or comma-separated list of ports) for Radius Accounting packets
save_pdu_proto=0 — save PDU in pcap format for analysis. Set by bitmask:
- 0x00 — write nothing
- 0x01 — broken/unparsed RADIUS packets
- 0x02 — all RADIUS packets
- 0x04 — broken/unparsed DIAMETER packets
- 0x08 — all DIAMETER
- 0x10 — broken TACACS+ packets
- 0x20 — all TACACS+ packets
rad_check_code_pdu=2:4 — analyze PDU with codes 2 and 4
rad_check_acct_status_type=1:3 — analyze PDU with statuses 1 and 3
mem_preset=1 — initialize memory on startup
fdpi_servers=127.0.0.1:29000,123.45.67.85:29000 — list of DPI servers to send data to, where 29000 is the default control port

Stream Processing Configuration

Using the provided values is recommended

num_threads=1
rx_bind_core=0
services_bind_cores=0
engine_bind_cores=0
fifo_bind_cores=0
snaplen=2000
timeout_alarm=5
dbg_log_mask=0x31

Configuration for Exporting RADIUS Events to an External Collector

ipfix_dev=eno8 — name of the Linux interface for IPFIX export. IPFIX Export Template Formats from FastRADIUS
ipfix_tcp_collectors=172.32.0.239:1502 — IPFIX collector address

Alternative Scheme: Diverting RADIUS Accounting Traffic from FastDPI DPDK Interfaces

RADIUS Accounting must be fed into the DPI device ports along with network traffic. This can be achieved by mirroring the ports connected to the RADIUS server. In this case, FastRADIUS only receives the mirror and does not respond to the RADIUS server.

TAP Interface Configuration

FastRADIUS can run on the same server as FastDPI or be deployed on an external server. Two virtual interfaces, TAP0 and TAP1, are used to isolate the required traffic.

Specify the port in the configuration:

in_dev=tap1

Deploying Radius Monitor on the Same Server. Using a Bridge:

Deploying Radius Monitor on an External Server. Using a Tunnel:

TAP0 — used for traffic diversion
TAP1 — listened on by Radius Monitor
A Bridge or Tunnel is created between TAP0 and TAP1 for traffic forwarding.
MAC learning is disabled on the TAP0 interface

Execute the following commands from the console:

ip tuntap add tap0 mode tap
ip tuntap add tap1 mode tap
 
ip link set dev tap0 up
ip link set dev tap1 up
 
ip link add br0 type bridge
 
ip link set tap0 master br0
bridge link set dev tap0 learning off
ip link set tap1 master br0
 
ifconfig tap0 192.168.4.20 up
ifconfig tap1 192.168.4.21 up
ifconfig br0 up

WARNING: TAP interfaces must be started after server reboot!

Configuring Traffic Diversion from FastDPI to FastRADIUS

Enable the traffic diversion service on FastDPI:

fdpi_ctrl load profile --service 14 --profile.name radius  --profile.json '{ "typedev" : "tap","dev" : "tap0","udp" : [ 1813,1814,1815 ] }' --outformat=json 
fdpi_ctrl load --service 14 --profile.name radius --ip 10.16.252.11
fdpi_ctrl load --service 14 --profile.name radius --ip 10.16.252.12

where:

1813,1814,1815 — ports on which RADIUS Accounting is transmitted
10.16.252.11, 10.16.252.12 — IP addresses of RADIUS servers sending RADIUS Accounting

Additional Radius Monitor Settings

rad_auth_port=1645 — listening port number (or comma-separated list of ports) for RADIUS Authentication packets
bind_multi=true — allow multiple IPs per USER-NAME (see command load --bind_multi)

If the order of bind/unbind in the RADIUS stream is not maintained or if there are packet losses (e.g., if it's a mirror), artifacts are likely.

Connecting NAT Based on CIDR

Creating named NAT profiles on FastDPI:

fdpi_ctrl load profile --service 11 --profile.name nat_profile_all --profile.json '{ "nat_ip_pool" : "5.200.43.0/24,5.200.44/25", "nat_tcp_max_sessions" : 2000, "nat_udp_max_sessions" : 2000 }'

In the FastRADIUS configuration file /etc/dpi/fdpi_radius.nat, specify IP ranges and their corresponding NAT profile names. Example:

0.0.0.0/0	nat_profile_all
10.0.0.0/8	nat_profile_1
10.1.1.0/24	nat_profile_2

When a more specific (concrete) profile is specified for an address, it is selected.

IPv6 Support

Configuration parameters for binding addresses and subnets to subscribers are specified in the /etc/dpi/fdpi_radius.conf file:

bind_ipv6_address
- 0 — do not bind address to subscriber (default)
- 1 — bind
  Binding is similar to the bind command in fdpi_ctrl). The address is taken from the RADIUS attribute Framed-IPv6-Address(168)
bind_ipv6_subnet
- 0 — do not bind (default)
- 64 — bind only for /64 subnets
- -1 — bind for any subnets.
  The subnet is taken from the RADIUS attribute Delegated-IPv6-Prefix(123)

Parameters bind_ipv6_address and bind_ipv6_subnet can be set simultaneously.
If a /128 mask is present in Framed-IPv6-Prefix, it is not checked against the restriction set by the bind_ipv6_subnet value.

The subscriber is identified by the RADIUS attribute User-Name or Calling-Station-ID (depending on the login_replace setting)

The current implementation only supports IPv6 subnets of fixed length (default /64), so binding subnets of shorter length will cause an error.

Subscriber Identification in Mobile Networks

login_replace=1 — in this case, the RADIUS attribute Calling-Station-ID (IMSI) is used for subscriber identification instead of User-Name, if present in RADIUS.
ipfix_extra_gsm=1 — enable support for sending additional attributes from RADIUS Accounting via IPFIX.

Appending Region Prefixes to Subscriber Names (LOGIN)

Used when the RADIUS monitor and SCAT serve multiple regions, and user-name might overlap across regions; this allows separating them into different logins.

Enable the setting rad_prefix_info=1
Add to the file /etc/dpi/prefixes.info:
```
172.17.76.1 MSK-
172.17.76.2 MSK-
172.17.76.3 SPB-
172.17.76.4 SPB-
172.17.76.5 SPB-
```
where:
- first field - NAS-IP-Address from the RADIUS packet
- second field - prefix to be added to the Login

Table of Contents