FastPCRF supports RADIUS accounting. FastDPI processes subscriber traffic and generates NetFlow statistics, which are forwarded to FastPCRF. FastPCRF then aggregates the data, converts it into the RADIUS Accounting format, and sends it to the RADIUS server.

To enable RADIUS accounting in /etc/dpi/fastdpi.conf, set the following parameters:

• Enable accounting:

  enable_acct=1

• Enable Netflow statistics for billing:

  # Subscriber billing statistics
  netflow=4
  # Statistics transmission timeout
  netflow_timeout=60

• Enable local user authentication:

  enable_auth=1

• Assign service 9 (statistics export for billing) to the subscriber. The Access-Request response must include the following attribute:

  VasExperts-Enable-Service="9:on"

When fastPCRF starts up, it sends an Accounting-Request to the RADIUS server with the attribute Acct-Status-Type=Accounting-On, and when it shuts down, it sends Accounting-Off. These requests include NAS attributes that identify the server and Acct-Session-Id=0. A similar Accounting-On request is sent when switching to a backup RADIUS server.

Some billing systems require synchronization of the authorization and accounting processes: the current accounting session must be properly terminated before sending an Access Request. To enable this mode, use the following parameter:

acct_auth_sync=1

When synchronization is enabled, a check is performed to verify whether an active accounting session exists for the subscriber's IP address before sending the Access-Request. If a session exists, an Acct-Stop is sent, confirmation is awaited, and then authorization is performed.

Additionally, you can specify a delay between the Acct-Stop confirmation and the sending of the Access-Request:

acct_auth_sync_delay=0

The value is specified in seconds. This is used to account for processing delays in the billing system.

You can configure how traffic directions are interpreted. By default:

• Incoming traffic — from the network to the subscriber;
• Outgoing traffic — from the subscriber to the network.

To change the direction, use the following setting:

acct_swap_dir=0

• 0 — no change;
• 1 — reverse the direction.

A Rating Group (RG) is used to break down subscriber traffic accounting in RADIUS Accounting. RGs can only be used if Service 9 (statistics export for billing) is enabled.

RG storage and processing settings:

• Number of groups:

  rating_group_count=0

  Default value: 0 — RG disabled.

• Maximum number of subscribers with RG:

  rating_group_max_subs=0

  Default value: 0 — RG disabled.

The RG storage is initialized only if billing statistics are enabled.

The amount of memory required to store RG statistics is calculated using the following formula:

memory_required = 32 * rating_group_count * rating_group_max_subs * num_thread

where:

• 32 — the size of counters per group (in bytes);
• rating_group_count — the number of groups;
• rating_group_max_subs — the maximum number of subscribers;
• num_thread — the number of processing threads.

Sample calculation for 10,000 subscribers, 256 rating groups, and 8 processing threads—625 MB of memory is required:

rating_group_count = 256
rating_group_max_subs = 10000
num_thread = 8
memory_required = 32 * 256 * 10000 * 8 = 625M

RG statistics are transmitted in separate Interim-Update packets. Only data for non-zero RGs is transmitted.
Due to the RADIUS packet size limit (4096 bytes), RG data may be split across multiple Interim-Update packets.

A new VSA, VasExperts-Acct-Type (id=28, vendor=43823, integer), is used to identify the packet type, with the following values:

• 0 — standard Interim Update Accounting;
• 1 — RG data.

Each RG and its counters are transmitted in a single VSA with the following attributes:

• VasExperts-Acct-Rating-Group (short, 16-bit) — RG number;
• VasExperts-Acct-Input-Octets-64;
• VasExperts-Acct-Output-Octets-64;
• VasExperts-Acct-Input-Packets-64;
• VasExperts-Acct-Output-Packets-64.

Packet and byte counters for each direction are output according to the

acct_swap_dir

option (as in Accounting).

Features of RG transmission:

• RGs are optional; if the subscriber does not have an RG, the data is not transmitted;
• if RADIUS does not acknowledge receipt of the RG packet, it is not resent—the latest data will be sent in the next Interim-Update;
• if the subscriber has RG statistics, the current RG data is sent before sending the Acct-Stop session.

The RG is set at the subscriber level during authentication via a special service profile 9 named 'RG':

VasExperts-Service-Profile :="9:RG"

RG statistics can only be collected if Service 9 (bill stat) is enabled. If Service 9 is disabled, RG is also disabled.

Examples:

• Service 9 enabled, RG disabled (standard RADIUS Accounting):

  VasExperts-Enable-Service :="9:on"

• Service 9 enabled, RG enabled (RG data transmission):

  VasExperts-Service-Profile :="9:RG"

• Service 9 disabled, RG disabled (RADIUS Accounting not sent):

  VasExperts-Enable-Service :="9:off"

The accounting database is stored in fastPCRF and runs in memory. It has a two-level structure:

• raw level — storage of raw data by IP address;
• aggregation level — grouping of data into accounting sessions.

The CLI allows you to:

• manage sessions (start/stop);
• view status and statistics.

When fastDPI starts and stops, it sends accounting-on/accounting-off commands to fastPCRF, which are used to close the current sessions.

This behavior is controlled by the following parameter:

acct_fastdpi_session_stop=1

Two modes are available:

• 1 — When fastDPI starts or stops, an Acct-Stop is sent to all active sessions;
• 0 — Only Accounting-On/Accounting-Off messages are sent, without individual Acct-Stop messages.

The mode that sends an Acct-Stop message ensures that sessions are terminated correctly, but places an increased load on the RADIUS server. The alternative mode reduces the load, but requires the source to be correctly identified based on NAS attributes.

For proper operation, you must:

• Set unique attr_nas_ip and attr_nas_id values for each fastDPI;
• Configure radius_attr_nas_ip_address and radius_attr_nas_id for fastPCRF.

RADIUS-side processing:

• if the NAS attributes match fastDPI, sessions for that node are closed;
• if fastPCRF, all active sessions are closed.

acct_stop_reason_unspecified — reason not specified
acct_stop_reason_user_request — termination initiated by the subscriber or upon creation of a new session
acct_stop_reason_idle_timeout — inactivity timeout
acct_stop_reason_session_expired — session timeout
acct_stop_reason_admin_reset — termination at the administrator's request (CoA Disconnect-Request)
acct_stop_reason_lost_service — service disconnection or DHCP-NAK
acct_stop_reason_NAS_error — request error
acct_stop_reason_double_secondary_key — secondary key conflict
acct_stop_reason_coa_reauth — CoA reauth
acct_stop_reason_callback — termination due to re-authorization
acct_stop_reason_no_auth_response — no authorization response
acct_stop_reason_NAS_switch — switch to another node
acct_stop_reason_CoA_Disconnect — CoA disconnect

From fastPCRF:
acct_stop_reason_source_reboot — fastDPI reboot detected
acct_stop_reason_change_session_id — sessionId changed
acct_stop_reason_transfer_session_id — session ID transferred
acct_stop_reason_fastdpi_acct_on — Acct-On/Acct-Off received
acct_stop_reason_suspended — session suspended due to RADIUS unavailability
acct_stop_reason_ppp_changed_IPv6_prefix — IPv6 prefix changed
acct_stop_reason_ppp_missing_IPv6_prefix — IPv6 prefix missing