| Next revision | Previous revision |
| en:dpi:bras_bng:radius_integration:radius_auth_server_integration:radius_auth_response [2024/09/26 15:29] – created - external edit 127.0.0.1 | en:dpi:bras_bng:radius_integration:radius_auth_server_integration:radius_auth_response [2026/03/25 11:45] (current) – [2. Policing with absolute values (simplified format)] elena.krasnobryzh |
|---|
| <note important>Need to create services and policing that will transfer using Radius attributes from billing. [[en:dpi:dpi_options:use_cases:qs_rateplans|Example of setting up policing (tariff plan) and Captive Portal, which are minimally required for startup]].</note> | <note important>Need to create services and policing that will transfer using Radius attributes from billing. [[en:dpi:dpi_options:use_cases:qs_rateplans|Example of setting up policing (tariff plan) and Captive Portal, which are minimally required for startup]].</note> |
| |
| ==== VasExperts-Policing-Profile ==== | ===== VasExperts-Policing-Profile ===== |
| The response to an Access-Accept must contain no more than one of this attribute.\\ | |
| - Preconfigured policing \\ A string attribute specifying the [[en:dpi:dpi_components:platform:subscriber_management:subsman_profiles|policing profile name]] for the user. \\ ''VasExperts-Policing-Profile = "50Mbps"'' | The ''VasExperts-Policing-Profile'' attribute is included in the Access-Accept response and is responsible for applying policing rules. |
| - Policing with absolute values transfer \\ ''VasExperts-Policing-Profile = "BV##100000#100000#+++-++++"'' \\ here: | |
| * ''BV'' --- By Value | <note important>The Access-Accept response must contain **no more than one** ''VasExperts-Policing-Profile'' attribute.</note> |
| * ''##100000'' --- Internet-to-subscriber limit in Kbps | |
| * ''#100000'' --- Subscriber-to-Internet limit in Kbps | Profile configuration options: |
| * ''#+++-++++'' --- cs0 ... cs7, rate(cs3)=0, cs3 is blocked, other classes are allowed at root speed with borrowing (HTB algorithm). | |
| | ==== 1. Preconfigured Profile==== |
| | A string attribute that specifies the name of the [[dpi:dpi_components:platform:subscriber_management:subsman_profiles|policing profile]]: |
| | <code>VasExperts-Policing-Profile = “50Mbps”</code> |
| | |
| | ====2. Policing with absolute values (simplified format)==== |
| | <code>VasExperts-Policing-Profile = “BV##100000#100000#+++-++++”</code> |
| | where: |
| | * ''BV'' — By Value, the HTB algorithm is used, where the ceil for each class is equal to the root rate |
| | * ''##100000'' — limit from the Internet to the subscriber (download), kbps |
| | * ''#100000'' — limit from subscriber to Internet (upload), kbps |
| | * ''#+++-++++'' — permission for classes cs0 … cs7, rate(cs3)=0 — class cs3 is blocked, other classes use root speed with the possibility of borrowing (HTB) |
| | |
| | ====3. Policing with Absolute Value Transmission (Extended HTB Format)==== |
| | SSG DPI uses [[en:dpi:dpi_options:opt_bandwidth_mgmt:bandwidth_conf|two types of policing]] — HTB (Hierarchical Token Bucket) and TBF (Token Bucket Filter). The examples below use the **HTB** algorithm with a minimum (rate) and maximum (ceil) speed limit for each class. |
| | |
| | The policing profile defines the overall rate (root) and the rate for each traffic class (cs0 … cs7) |
| | |
| | It allows you to set the rate and ceil parameters for each class separately and contains 36 parameters. |
| | |
| | <note important>Zero values are not passed</note> |
| | |
| | Format (displayed as a single line without line breaks): |
| | <code>VasExperts-Policing-Profile = "BR##4#<RIN><ROUT><CIN><COUT><RIN0><ROUT0><CIN0><COUT0><RIN1><ROUT1><CIN1><COUT1><RIN2><ROUT2><CIN2><COUT2><RIN3><ROUT3><CIN3><COUT3><RIN4><ROUT4><CIN4><COUT4><RIN5><ROUT5><CIN5><COUT5><RIN6><ROUT6><CIN6><COUT6><RIN7><ROUT7><CIN7><COUT7> |
| | </code> |
| | |
| | where: |
| | * ''BR'' — By Rates |
| | * ''##4#'' — HTB is used; the rate and ceil are transmitted for inbound and outbound traffic |
| | * ''<RIN>'' — kbps root rate (#8192k), the total rate for all classes for inbound traffic (download) |
| | * ''<ROUT>'' — kbps root rate (#8192k), total speed for all classes for outbound traffic (upload) |
| | * ''<RIN0> … <RIN7>'' — kbps class rate, minimum speed by class for inbound traffic (download) |
| | * ''<CIN0> … <CIN7>'' — kbps ceiling rate, maximum speed per class for inbound traffic (download) |
| | * ''<ROUT0> … <ROUT7>'' — kbps class rate, minimum speed per class for outbound traffic (upload) |
| | * ''<COUT0> … <COUT7>'' — kbps ceiling rate, maximum speed (ceiling) by class for outbound traffic (upload) |
| | |
| | <note important>The sum of the rates by class must be ≤ root rate\\ The ceiling of each class must be ≤ root rate</note> |
| | |
| | ===Example=== |
| | For convenience, it has been broken into lines, but it must be sent as a single line. |
| |
| ==== VasExperts-Service-Profile ==== | |
| A string option specifying the profile name for a specific fastDPI service. Used format: | |
| <code> | <code> |
| service_id:profile_name | VasExperts-Policing-Profile = "BR##4# |
| | 8192k8192k65M65M |
| | 1024k1024k8192k8192k |
| | 1024k1024k8192k8192k |
| | 1024k1024k8192k8192k |
| | 1024k1024k8192k8192k |
| | 1024k1024k8192k8192k |
| | 1024k1024k8192k8192k |
| | 1024k1024k8192k8192k |
| | 1024k1024k8192k8192k" |
| </code> | </code> |
| Here: | |
| * ''service_id'' – is the number representing [[en:dpi:dpi_components:platform:subscriber_management:subsman_cmd|the fastDPI service identifier]] | |
| * ''profile_name'' – is the string representing [[en:dpi:dpi_components:platform:subscriber_management:subsman_profiles|the profile name according to the service]] | |
| |
| **Example 1,** activating the NAT (11) service with the “cgnat” profile: | === DPI Test === |
| | <code>sudo fdpi_ctrl list --policing --ip <ip> | sed 's/\s/\n/g'</code> |
| | |
| | Sample output: |
| <code> | <code> |
| | htb_inbound_root=rate 8192kbit |
| | htb_inbound_class0=rate 1024kbit ceil 8192kbit |
| | htb_inbound_class1=rate 1024kbit ceil 8192kbit |
| | htb_inbound_class2=rate 1024kbit ceil 8192kbit |
| | htb_inbound_class3=rate 1024kbit ceil 8192kbit |
| | htb_inbound_class4=rate 1024kbit ceil 8192kbit |
| | htb_inbound_class5=rate 1024kbit ceil 8192kbit |
| | htb_inbound_class6=rate 1024kbit ceil 8192kbit |
| | htb_inbound_class7=rate 1024kbit ceil 8192kbit |
| | |
| | htb_root=rate 8192kbit |
| | htb_class0=rate 1024kbit ceil 8192kbit |
| | htb_class1=rate 1024kbit ceil 8192kbit |
| | htb_class2=rate 1024kbit ceil 8192kbit |
| | htb_class3=rate 1024kbit ceil 8192kbit |
| | htb_class4=rate 1024kbit ceil 8192kbit |
| | htb_class5=rate 1024kbit ceil 8192kbit |
| | htb_class6=rate 1024kbit ceil 8192kbit |
| | htb_class7=rate 1024kbit ceil 8192kbit |
| | </code> |
| | |
| | ===== VasExperts-Service-Profile ===== |
| | |
| | A string parameter that specifies the profile name for a specific fastDPI service.\\ String format: |
| | <code bash> |
| | service_id:profile_name |
| | </code> |
| | Where: |
| | - ''service_id'' — a number, [[dpi:dpi_components:platform:subscriber_management:subsman_cmd|fastDPI service identifier]]; |
| | - ''profile_name'' — a string, [[dpi:dpi_components:platform:subscriber_management:subsman_profiles|the profile name for the service]]. |
| | |
| | <note tip>The authorization response may contain zero or more ''VasExperts-Service-Profile'' attributes—one attribute for each service.</note> |
| | |
| | ====Example 1. NAT Connection==== |
| | NAT connection (service 11) using the "cgnat" profile. |
| | |
| | <code bash> |
| VasExperts-Service-Profile="11:cgnat" | VasExperts-Service-Profile="11:cgnat" |
| </code> | </code> |
| |
| **Example 2,** connecting the [[en:dpi:dpi_options:opt_capture|Allow List and Captive Portal, HTTP redirect]] (service 16) specifying page parameters for redirect "http://info.com" and allowed list of IP addresses "/var/lib/dpi/ip_list.bin": | ====Example 2. Configuring the Whitelist==== |
| <code> | Configuring [[en:dpi:dpi_options:opt_capture|Whitelist and Captive Portal, HTTP redirect]] (16 services) with the redirect page parameters set to "http://info.com" and the allowed IP address list set to "''/var/lib/dpi/ip_list.bin''". |
| | |
| | <code bash> |
| VasExperts-Service-Profile = "16:BV##/var/lib/dpi/ip_list.bin#http://info.com" | VasExperts-Service-Profile = "16:BV##/var/lib/dpi/ip_list.bin#http://info.com" |
| </code> | </code> |
| |
| <note tip>The authorization response may contain zero or more ''VasExperts-Service-Profile attributes'', one attribute for each service.</note> | ====Example 3. Overriding Traffic Classes and Policing==== |
| |
| ==== VasExperts-Enable-Service ==== | [[en:dpi:dpi_options:opt_shaping:shaping_session|Service 18 (Session-Based Policing)]] is used to override traffic classes (cs0 … cs7) and configure session-based policing for a specific subscriber. |
| | |
| | The profile defines the distribution of DPI protocols across traffic classes.\\ Classes are assigned individually for each subscriber. |
| | |
| | Format: |
| | <code>VasExperts-Service-Profile = "18:BP##profile_name#/share/#IMSI_number.dscp#IMSI_number.tbf"</code> |
| | |
| | where: |
| | * ''18'' — traffic class reclassification and per-session policing |
| | * ''BP'' — By Parameters |
| | * ''##profile_name'' — profile name, created dynamically, displayed in the GUI and CLI |
| | * ''#/share/'' — directory on fastPCEF. Accessible over the network; only the filename is passed, while the file itself is read from the original directory. Contains source (.txt) files (not converted to binary) for easy verification |
| | * ''#IMSI_number.dscp'' — protocol and traffic class mapping file. Determines which class (cs0 … cs7) the traffic is placed in. Supports the **drop** flag for blocking |
| | * ''#IMSI_number.tbf'' — a file containing session-level policing parameters. Sets policing rules for individual protocols. Used to limit speed at the session level |
| | |
| | Example: |
| | <code>VasExperts-Service-Profile =18:BP##250019500475292#/share/#250019500475292.dscp#250019500475292.tbf</code> |
| | |
| | ===== VasExperts-Enable-Service ===== |
| A string parameter that specifies whether to activate/disable a specific service not requiring any profile. | A string parameter that specifies whether to activate/disable a specific service not requiring any profile. |
| String format : | String format : |
| [[en:dpi:dpi_options:opt_filtration:filtration_ctrl|global fastDPI configuration]]. Service 4 is usually globally activated in order to comply with the federal law. | [[en:dpi:dpi_options:opt_filtration:filtration_ctrl|global fastDPI configuration]]. Service 4 is usually globally activated in order to comply with the federal law. |
| |
| ==== VasExperts-Multi-IP-User ==== | ===== VasExperts-Multi-IP-User ===== |
| This attribute shows whether there are many IP addresses assigned for this subscriber or only just one. | This attribute shows whether there are many IP addresses assigned for this subscriber or only just one. |
| This attribute can be presented either by a byte or by a 32-bit number. | This attribute can be presented either by a byte or by a 32-bit number. |
| If the ''VasExperts-Multi-IP-User=1'' attribute is set to the user so the features (active services and policing) are applied to all subscribers IP addresses and the key is a subscriber login. Note that the Stingray SG authorizes **each** subscriber IP address: for example, if 10 IP addresses are associated with the subscriber, an Access-Request authorization request will be sent for **each** of the addresses. It is expected that the response to each IP address of a multi-IP subscriber will contain the same set of active services and the same profiles. The response to the authorization of each of the 10 IP-addresses mentioned above will be applied to the subscriber **login**, so all the IP addresses within this login will be assigned the same set of services along with the same policing. | If the ''VasExperts-Multi-IP-User=1'' attribute is set to the user so the features (active services and policing) are applied to all subscribers IP addresses and the key is a subscriber login. Note that the Stingray SG authorizes **each** subscriber IP address: for example, if 10 IP addresses are associated with the subscriber, an Access-Request authorization request will be sent for **each** of the addresses. It is expected that the response to each IP address of a multi-IP subscriber will contain the same set of active services and the same profiles. The response to the authorization of each of the 10 IP-addresses mentioned above will be applied to the subscriber **login**, so all the IP addresses within this login will be assigned the same set of services along with the same policing. |
| |
| ==== VasExperts-UserName ==== | ===== VasExperts-UserName ===== |
| The subscriber name (login). | The subscriber name (login). |
| |
| |
| {{anchor:VasExperts-Restrict-User}} | {{anchor:VasExperts-Restrict-User}} |
| ==== VasExperts-Restrict-User ==== | ===== VasExperts-Restrict-User ===== |
| The attribute to identify the subscriber is blocked. | The attribute to identify the subscriber is blocked. |
| |
| |
| {{anchor:VasExperts-Enable-Interconnect}} | {{anchor:VasExperts-Enable-Interconnect}} |
| ==== VasExperts-Enable-Interconnect ==== | ===== VasExperts-Enable-Interconnect ===== |
| The attribute indicating enabling/disabling local interconnect for the subscriber. | The attribute indicating enabling/disabling local interconnect for the subscriber. |
| |
| |
| By default, ''VasExperts-Enable-Interconnect=1'' and if ''bras_terminate_local=1'' is set in fastdpi.conf, then interconnect is allowed. This attribute can be used to disable interconnect for a specific subscriber by specifying ''VasExperts-Enable-Interconnect=0''. | By default, ''VasExperts-Enable-Interconnect=1'' and if ''bras_terminate_local=1'' is set in fastdpi.conf, then interconnect is allowed. This attribute can be used to disable interconnect for a specific subscriber by specifying ''VasExperts-Enable-Interconnect=0''. |
| ===== Optional Radius attributes ===== | ====== Optional Radius attributes ====== |
| In addition to the mentioned above VSA attributes the Stingray Service Gateway supports the following standard Radius-attributes within the Access-Accept/Access-Reject. All of them are optional. | In addition to the mentioned above VSA attributes the Stingray Service Gateway supports the following standard Radius-attributes within the Access-Accept/Access-Reject. All of them are optional. |
| |
| ==== Session-Timeout ==== | ===== Session-Timeout ===== |
| It specifies the duration of the subscriber authorization, in seconds. At the expiry of this time the SSG will send a second request for Access-Request to authorize. | It specifies the duration of the subscriber authorization, in seconds. At the expiry of this time the SSG will send a second request for Access-Request to authorize. |
| |
| By default, the session duration is specified in the fastdpi.conf using the ''auth_expired_timeout'' option (in **minutes**). | By default, the session duration is specified in the fastdpi.conf using the ''auth_expired_timeout'' option (in **minutes**). |
| |
| ==== Acct-Interim-Interval ==== | ===== Acct-Interim-Interval ===== |
| Specifies the time interval for updating Accounting statistics (in seconds) for the subscriber. | Specifies the time interval for updating Accounting statistics (in seconds) for the subscriber. |
| | |
| Interim interval is specified by default in the fastpcrf.conf using the ''radius_acct_interim_interval'' option. | Interim interval is specified by default in the fastpcrf.conf using the ''radius_acct_interim_interval'' option. |
| |
| ==== Idle-Timeout ==== | <note important>Explicitly setting ''Acct-Interim-Interval = 0'' in the RADIUS response disables sending Interim-Update.</note> |
| | |
| | ===== Idle-Timeout ===== |
| Specifies the interval over which the accounting data is unchanged, when it expires the accounting session is considered to be closed caused by the subscriber inactivity. Idle timeout is set by default by the fastpcrf.conf ''radius_acct_idle_timeout'' option. | Specifies the interval over which the accounting data is unchanged, when it expires the accounting session is considered to be closed caused by the subscriber inactivity. Idle timeout is set by default by the fastpcrf.conf ''radius_acct_idle_timeout'' option. |
| A way to determine the subscriber inactivity is specified by the ''acct_check_idle_mode'' option defined in the fastpcrf.conf. The description of the parameters can be found in the section [[en:dpi:bras_bng:radius_integration:radius_accounting:setup]]. | A way to determine the subscriber inactivity is specified by the ''acct_check_idle_mode'' option defined in the fastpcrf.conf. The description of the parameters can be found in the section [[en:dpi:bras_bng:radius_integration:radius_accounting:setup]]. |
| |
| ==== Class ==== | ===== Class ===== |
| This attribute will be added to all Accounting-Request PDUs if it is set. The SSG does not analyze the value of this attribute. | This attribute will be added to all Accounting-Request PDUs if it is set. The SSG does not analyze the value of this attribute. |
| |
