Integration with Radius server


The fastPCRF sends Access-Request requests with the following attributes:

User-Name = "94.158.56.38"
User-Password = "VasExperts.FastDPI"
Framed-IP-Address = 94.158.56.38
Acct-Session-Id = "001122334455667788"
NAS-Port-Type = 5 (Virtual)
NAS-Port = 0
NAS-Port-Id = "708"
NAS-IP-Address = 192.168.0.40
Service-Type = 2 (Framed-User)
Chargeable-User-Identity="some-login"
VasExperts-Service-Type=0
Message-Authenticator = 0x655ad71144647dd842afd3b65b08d421

here:

  • User-Name – is the user IP address as a string. You can define what to be specified in the User-Name attribute, see below for details.
  • User-Password – is the password. The password is the same for all users. It is specified by the radius_user_password configuration option. Please, do not treat this field as a user password, it is the system password.
  • Framed-IP-Address – is the user IPv4 address.
  • Acct-Session-Id – is the accounting session identifier.
  • NAS-Port-Type – is set by the radius_attr_nas_port_type option value. The list of valid values is defined by RFC 2865. In this example, its value is set to 5 (Virtual).
  • NAS-Port – the VLAN tag value of the subscriber package; this attribute is added only for the VLANs
  • NAS-Port-Id – value of QinQ tags of the subscriber package in the format "outerVLAN/innerVLAN", for example, "34/123"; this attribute is added only for QinQ-networks
  • NAS-IP-Address – the IP address specified by the radius_attr_nas_ip_address configuration option. Typically, the NAS IP address is set to the IP address of the fastpcrf server. Alternatively, you can specify the radius_attr_nas_id configuration option (the NAS TextID) instead of the radius_attr_nas_ip_address. In this case Access-Request will contain the NAS-Identifier attribute instead of NAS-IP-Address.
  • Service-Type – specified by the radius_attr_service_type configuration option. The full list of this attribute values can be found in the RFC-2865. Service-Type=2 (Framed-User) is used in this example.
  • Chargeable-User-Identity (CUI) – specifies the user's login in case it is known to the fastdpi. If the login is not known the CUI attribute contains exactly one zero byte (nul CUI), it means that according to the RFC-4372 the NAS requests the radius server for the user login. The fastpcrf expects to receive in response the correct user login within the CUI attribute.
  • VasExperts-Service-Type(VSA vendor-id=43823, attr-id=6) – type of an authorization request: 0 - L3-authorization, 1 - leasing DHCP-address + authorization, see the modeDHCP Radius proxy
  • Message-Authenticator – calculated attribute, see more details in RFC-2869. If the radius_msg_auth_attr = 1 (its recommended value) this attribute will be added to the Access-Request.
IPv6

IPv6 authorization request slightly differs - instead of the Framed-IP-Address attribute, the request contains the following attributes:

  • Framed-IPv6-Prefix - IPv6 subnetwork prefix. Actually, authorization is applied to all the addresses with this prefix rather than to a particular IPv6 address.
  • Framed-IPv6-Address - IPv6 address. By default, this attribute specifies the prefix address, for example, for the 2001:1::1 address, the attribute value will be equal to 2001:1::. But if you set the value of the ipv6_native_framed_address fastpcrf.conf parameter to 1, then the value of Framed-IPv6-Address attribute will be presented by full IPv6 address, which is 2001:1::1 for the example above. Remember that specifying the ipv6_native_framed_address=1 does not mean the VAS Experts DPI will authorize each IPv6 address, - it is not the case, it still would treat IPv6 authorization as subscriber subnetwork authorization. For example, if there are incoming packets from 2001:1::1 and 2001:1::ab subscribers respectively, then only one of those addresses will be put to the authorization, while parameters obtained in the result of authentification will be applied to all the addresses within the 2001:1::/64 subnetwork.
User-Name attribute value

As a User-Name the following entities can be used:

  • the subscriber login (it is not always known to the VAS Experts DPI);
  • the subscriber IP address (it is always known);
  • Q-in-Q tags (for the QinQ networks, "vlan-per-user").

Since version VAS Experts DPI 7.4 radius_user_name_auth in the fastpcrf.conf specifies the value of the User-Name attribute in order of preference:

  • login – to use the user login
  • ip – to use the subscriber IP address
  • qinq – to use the QinQ tag using the "outerVLAN.innerVLAN" format; for example, "101.205"

The example:

  # Put a QinQ-tag in the User-Name attribute, if it is not used – put the subscriber login instead, otherwise put therein the IP-address
radius_user_name_auth=qinq,login,ip

The default value: radius_user_name_auth=login,ip,qinq

Response attributes