VAS Experts documentation VAS Experts documentation-mobile

Settings

  • Show pagesource
  • Old revisions
  • Export to PDF
  • ODT export
  • Backlinks
  • Show pagesource
  • Old revisions
  • Export to PDF
  • ODT export
  • Backlinks
    • Stingray Service Gateway - Traffic Management and Analysis SystemStingray Service Gateway by VAS ExpertsBNG/BRASIntegration with Radius-serverIntegration with Radius serverSubscriber authorization attributesRadius Access-Reject

    Radius Access-Reject

    Access-Reject authorization denial (Access-Challenge also treated as authorization denial) should contain special user attributes:

    • special policing profile (for example, strong bandwidth reduction)
    • the name of service 5 profile (whitelist) – specifies the list of sites the user is allowed to visit

    Note that the authorization denial is interpreted by L3 BRAS as a special, highly restricted subscriber access to the network. That is the network access will be provided with some exceptions. So these restricted access options are optionally specified in the Access-Reject attributes using a special policing profile and a service 5 along with the Captive Portal.

    • Framed-IP-Address – is the user IP address (is the same as in the request). It is the mandatory attribute.
    • The username (login) – corresponds to one of the following attributes: VasExperts-UserName, Chargeable-User-Identity (CUI), User-Name
    • VasExperts-Policing-Profile – is the name of the user policing profile; if this attribute is not present in the Access-Reject, then the user is assigned the default profile specified by the default_reject_policing configuration option in the fastpcrf.conf file. There is no more than one VasExperts-Policing-Profile attribute is allowed to use within the Access-Reject.
    • VasExperts-Service-Profile – the name of service 5 profile (whitelist), let's consider for example: VasExperts-Service-Profile=5:my_white_list. If this attribute is not present in the Access-Reject then the user will be assigned a profile associated to the service 5 according to the default_reject_whitelist option specified in the fastpcrf.conf file.
    • VasExperts-Multi-IP-User – indicates how many IP addresses are associated with the user. By default if the VasExperts-Multi-IP-User attribute is not specified it is assumed that the user is assigned just one IP address. Note that this attribute defines an important user property which strongly affects the fastDPI behavior.
    The key features of Access-Reject handling

    The attributes used in the Access-Reject are applied temporarily. While the user properties delivered within the Access-Accept attributes are stored in the internal fastDPI database (UDR) and are applied even after the reboot, the Access-Reject attributes are applied without being saved in the UDR database. That is, when the fastDPI is rebooted the user properties delivered last time within the Access-Accept will be restored and applied by the fastDPI until it receives new ones in response to the Access-Request.

    :!: Some of the Radius client implementations do not allow to use the subscriber attributes within the Access-Reject. In such cases the VAS Experts DPI offers the VasExperts-Restrict-User VSA.