Full list of settings

FastPCRF command line options:

  • -c <conf_file_name> – specifies the configuration file name.
  • -d – to run fastPCRF as a daemon
  • -h – help
  • -v – to display fastPCRF version

Configuration settings are specified in the fastpcrf.conf file located by default at the same location as the fastdpi.conf, i.e. in the /etc/dpi/ directory.

Common configuration file settings:

  • daemon – boolean parameter specifying the startup mode: if daemon=1 it means to run the fastPCRF as a daemon, otherwise – to run it under the direct control of an interactive user. Default value of the daemon option is 0 (it means to start the program as a usual process). This option can be overridden by the command line option –d.
  • verbose – boolean parameter specifying a detailed logging level: if verbose=1 – the program will log its activity verbosely, namely the incoming requests and outgoing data; the degree of detail is specified by the trace option (please see below). Its default value is 0.
  • trace – trace bitmask specifying the list of components to be logged thoroughly. Its default value is 0. For flag values, see The FastPCRF logs
  • rlimit_fsize – the maximum file size while writing to (in bytes). Its default value is – 1G (1073741824 bytes).
  • print_stat_period – the inner statistics period to be written to the fastpcrf_stat.log file. It is specified in seconds, the default value is 300 (statistics are reported every 5 minutes).
  • work_thread_count – the number of the working threads, its default value is 5. It does not make sense to set the work_thread_count number of worker threads, the default value is 5. Setting a value greater than 5 makes no sense, because the number of worker threads cannot be greater than the number of internal components of fastpcrf.
  • async_queue_size – the size of internal queue for transmitting asynchronous messages; its default value is 524288 (512K). This option should not be modified and especially should not be reduced since when the size is too small, it is possible to lose internal calls between components, which is equivalent to loss of operability and/or memory leakage.

Options to set connection with the fastDPI fdpi_server:

  • auth_server_port – the number of port used to listen incoming connections. Its default value is 29002.
  • auth_server_max_connection – the maximum number of incoming connections, the default value is 16, the maximum value is 16. In fact, it is the number of fastDPI servers served by this fastPCRF server.

Setting fastDPI servers:

  • fdpi_server — specifying one fastDPI server. Format: fdpi_server=ip%dev:port[;name=value]*, where
    • ip — IP address of the fastDPI server;
    • dev — interface from which the connection is being made;
    • port — fastPCRF → fastDPI feedback port (usually 29000 is the standard fdpi_ctrl port);
    • name=value — advanced server settings:
      • attr_nas_ip — IPv4 address for the NAS-IP-Address attribute; if not specified, the fastDPI IP address is applied. (ip);
      • attr_nas_ipv6 — NAS-IPv6-Address attribute value for this fastDPI;
      • attr_nas_id — the value of the NAS-Identifier attribute for this fastDPI.

Multiple fdpi_server parameters can be included in the config file - each fastDPI server is described by a separate parameter. The maximum number of fastDPI servers is 16.

fdpi_server=127.0.0.1%lo:29000;attr_nas_ip=5.5.5.5
fdpi_server=10.20.30.40%eth1:29000;attr_nas_is=DPI2

Settings to interact with Radius servers:

  • default_reject_policing – the default policing profile name for unauthorized users.
  • default_reject_whitelist – the service 5 profile name (Whitelist) used by default for unauthorized users.
  • radius_revive_period – the period (in seconds) to reestablish connection to the main Radius server. The default value is 120 second. Radius servers from the list are not equivalent: the first one considered to be the main radius server, the rest ones - backup servers. If fastPCRF detects the main radius server is not responding for too long the connection will be reset and fastPCRF will try to connect to the next radius server from the list. In this case fastPCRF keeps trying to connect to the main radius server until the main radius server becomes available (since version 12.3 removed for unnecessary).
  • radius_max_pending_requests – the maximum number of pending requests from fastDPI servers. The default value is 1 000 000. Incoming requests from fastDPI servers are discarded without warning upon exceeding this threshold.
  • coa_max_pending_requests – the maximum number of pending CoA requests being sent by radius servers. The default value is 100,000. This value should not be less than or equal to the value of async_queue_size option, its recommended value should be less than async_queue_size/2.

radius_server – specifies the Radius server address and its configuration. Each radius server within the configuration file is described by an individual radius_server option. At least 2 radius servers are specified as usual: the primary and backup ones, so the configuration file have to contain at least 2 lines with the radius_server option: the first one - for the main radius server and the second - for the backup server. The maximum number of radius-servers is 16. Radius-servers are not equivalent: the main one is the radius-server specified in the first line of the configuration file, the rest ones are considered backup servers. Backup servers are used in case the main server is unavailable and the order specified in the conf file will be used. Only one radius server is active simultaneously.

The format to specify the radius_server option is the following:

radius_server=secret@ip%dev:port{;param=value}*

here:

  • secret – the radius server secret;
  • ip – the radius server ip address
  • dev (optional) – the name of the interface to establish the connection; if it is not specified, the interface will be set by operating system;
  • port – port number
  • param=value – a list (separated by a semicolon) of configuration options for a given radius server.

Configuration options for the radius server can be specified in three ways:

  1. The values that are the same for all radius servers are specified in the fastpcrf.conf file as regular options (all such parameters are listed below). The main condition to be met is to specify regular options (common for all the radius servers) in front of the radius_server options, only in this case they will be applied to all the radius-servers.
  2. For each radius-server you can create your own configuration file, its name is set using the conf option in the line containing the radius_server option, for example:
    radius_server=secret@10.10.3.5:1812;conf=radius-main.conf

    values from the radius-main.conf supersede the default option values.

  3. Parameters unique to a particular radius server can be specified directly in the radius_server line, for example:
    radius_server=secret@10.10.3.5:1812;conf=radius-main.conf;msg_auth_attr=1

    Here the msg_auth_attr option is set for the particular server 10.10.3.5 and supersedes corresponding option being specified in the radius-main.conf configuration file. Note that the options enumeration order in radius_server is important: options are applied exactly the same order as they are specified in the line containing the radius_server option.
    If to reverse the conf and msg_auth_param options in case the radius-main.conf configuration file has the msg_auth_param = 0, then the msg_auth_param = 0 will be applied according to the radius-main.conf.

In the following, radius servers settings that can be set individually for each radius server are listed. Option names are given in the main fastpcrf.conf configuration file as they are specified within the option radius_server and in dedicated radius server configuration file, i.e. in brackets:

  • radius_dead_timeout (dead_timeout) – ping frequency of the Radius server in seconds when it is in the Dead state. In the Dead state, the server is pinged every radius_dead_timeout seconds: a ping is sent, and the server transitions to the Dead-ping-sent state. For example, if radius_dead_timeout=3600 (1 hour), the Radius server can transition to the Alive state no sooner than one hour after transitioning to the Dead state.
  • radius_max_connect_count (max_connect_count) – the maximum number of connections to one radius server, the default value is 16. According to the basic RADIUS specification (RFC 2865), there are one byte length field for an identifier that allows you to match the request with a response, that is, there are at most 256 requests that can be served by one connection simultaneously. To overcome this limitation, the specification suggests to create several connections to one radius server. In fact, this parameter specifies the number of simultaneous requests to one radius-server, i.e. radius_max_connect_count * 256.
  • radius_response_timeout (response_timeout) – timeout to wait for an answer to the Access-Request request to the radius server, in seconds, the default value is 30. If the response to a request is not received within this time, the request is considered to be rejected by the radius server (for example, if there are "too many requests" ) and fastPCRF tries to send the request again.
  • radius_resend_count (resend_count) – the maximum number of attempts to resend the request, the default value is 0 (without resending). If the number of attempts to resend the request is exhausted and there is no response from the radius server received, then the fastPCRF does not provide such information to the fastDPI server. FastDPI will send a repeated request for authorization if there is no response to authorization within a certain timeout (auth_resend_timeout option defined in the fastdpi.conf file).
  • radius_status_server (status_server) – boolean parameter, specifies whether the radius server supports the Status-Server request (RFC 5997); the default value is 1 (request is supported). This type of query is used by fastPCRF to ping a radius server, especially if the main radius server is temporarily unavailable. It is very difficult to determine whether the main radius-server has recovered without the Status-Server support.
  • radius_keepalive - timeout of pinging Radius-servers, in seconds. If there are no authorization requests, fastPCRF periodically pings Radius servers by sending a Server-Status or Access-Request. If the server responds, it is considered available. Default value: 60 seconds.
  • radius_ping_user_name - User-Name of the pseudo-subscriber used in the Access-Request to check the availability of the RADIUS server.
  • radius_ping_user_password - pseudo-subscriber password used in Access-Request to check if the RADIUS server is available.
  • radius_user_password (user_password) – is a string, the value of the User-Password attribute of the Access-Request. The default value is VasExperts.FastDPI.
  • radius_unknown_user (unknown_user) – is the string, the user login, in case the real login is unknown to the fastDPI. The default value is VasExperts.FastDPI.unknownUser. This is the value of the User-Name attribute of the Access-Request, if the radius_user_name_ip = 0 and the user's login is unknown. It is assumed that the radius server will report the real user login in the Access-Accept response which is determined by its IP address from the Framed-IP-Address attribute. Note that this parameter is closely related to the radius_user_name_auth parameter and only applies if no method of setting the User-Name attribute is applicable.
  • radius_unknown_user_psw (unknown_user_pws) – the string, the User-Password attribute value in case of unknown user login. It is applied only if the radius_user_name_ip = 0. The default value is VasExperts.FastDPI.
  • radius_msg_auth_attr (msg_auth_attr) – boolean parameter, specifies whether the radius server supports the Message-Authenticator attribute (RFC 2869). The default value is 1 (the attribute is supported). If the attribute is supported the fastPCRF will compute and add the Message-Authenticator field to each Access-Request and to each Status-Server request as well as analyze this attribute as contained in the responses. So if the Message-Authenticator attribute verification within the response fails, then such a response will be discarded.
  • radius_attr_nas_port_type (attr_nas_port_type) – is the number, the value of the NAS-Port-Type (RFC 2865) attribute of the Access-Request; the default value is 5 (Virtual).
  • radius_attr_service_type (attr_service_type) – is the number, the value of the service-type attribute (RFC 2865) of the Access-Request. The default value is 2 (Framed).
  • radius_attr_cui (attr_cui) – boolean option, specifies whether the radius server supports the Chargeable-User-Identity attribute (CUI, RFC 4372). The default value is 1 (CUI supported). If this attribute is supported then fastPCRF will insert the user's login to this attribute within the Access-Request; in case the login is unknown a zero byte will be inserted in corresponding field. According to RFC 4372 it means a login request from the radius server. The fastPCRF expects the real user login being placed in this field in the Access-Accept response. The radius server can determine the real user login by its IP address (the Framed-IP-Address attribute of the request).
  • radius_coa_port (coa_port) – UDP-port, which receives Change-of-Authorization (CoA) Disconnect-Request alerts and CoA-Request (RFC 5176). The default value is 3799 (it is defined in RFC 5176). If the radius server does not support CoA, so this option should be set to 0.
  • radius_coa_resend_timeout (coa_resend_timeout) – timeout for resending CoA replies (Disconnect-ACK, Disconnect-NAK, CoA-ACK, CoA-NAK) in case of socket issues (usually socket queue overflow), in seconds. The default value is 1 second. The number of retries is specified by the radius_resend_count option.
  • coa_reauth_ack - specifies the response to the CoA-Request with Service-Type=8 defined (Authenticate-Only):
    • 0 (default value) - according to the RFC5176 p.3.2 it will be replied CoA-NAK with Error-Cause=507 (Request Initiated)
    • 1 - off standard behaviour: it will be replied CoA-ACK