Differences

This shows you the differences between two versions of the page.

--- en:dpi:bras_bng:use_cases:dpi_bestpractice_brasl2pppoe [2023/08/30 08:56] – elena.krasnobryzh
+++ en:dpi:bras_bng:use_cases:dpi_bestpractice_brasl2pppoe [2024/09/26 15:29] (current) – external edit 127.0.0.1
@@ Line 1: / Line 1: @@
-====== dpi_bestpractice_brasl2pppoe ======
+====== BRAS L2 PPPoE Example ======
+{{indexmenu_n>5}}
+===== Description =====
+{{ dpi:qoe:use_cases:bras_l2_dhcp_radius_proxy.png?direct&600 |}}
+FastDPI BNG/BRAS supports PPPoE connection since version 7.2. The subscriber connects to the Stingray Service Gateway (SSG) using the PPPoE connection type, is terminated by SSG and then gets to the border.
+The following elements are involved in the SSG operation scheme in BNG/BRAS PPPoE mod:
+  - Client with PPPoE access type
+  - FastDPI - traffic processing and policing
+  - FastPCRF - proxying requests between fastDPI and Radius
+  - Radius server - accepting requests from fastPCRF and generating responses with specified attributes
+  - Router - is responsible for packets transmission to the Internet and the backward routing. At the moment the Static Route scenario and the scenario with [[en:dpi:dpi_components:router|OSPF and BGP routing configuration]] on SSG are possible.
+===== FastDPI Setup =====
+==== Editing the DPI Configuration File ====
+First, you need to uncomment (add) the following lines to the ///etc/dpi/fastdpi.conf// configuration file.
+<code>
+    #enable internal database of user properties
+udr=1
+    #activates BRAS L2 mode
+bras_enable=1
+enable_auth=1
+    #DPI "virtual" IP-address (must be unique for network)
+bras_arp_ip=192.168.1.2
+    #"virtual" MAC-address of DPI (you should use the real MAC-address of any of the DNA interfaces)
+bras_arp_mac=a0:36:9f:77:26:58
+    #border IP-address
+bras_gateway_ip=192.168.1.1
+    #MAC address of the border’s interface to which DPI is connected
+bras_gateway_mac=c4:71:54:4b:e7:8a
+    #server data where fastPCRF is installed (if the same server, do not change)
+auth_servers=127.0.0.1%lo:29002
+    #enable PPPoE
+bras_pppoe_enable=1
+    #set the maximum number of PPPoE sessions
+    #recommended value is *1.5-2 times more than the number of PPPoE subscribers
+bras_pppoe_session=10000
+    #choice of authorization protocol
+    #enable CHAP and MS-CHAPv2
+bras_ppp_auth_list=2,3
+    #vlan termination (this value means tag will be removed)
+bras_vlan_terminate=1
+    #local traffic interconnection
+bras_terminate_local=1
+    #enable accounting
+enable_acct=1
+    #subscriber billing statistics
+netflow=4
+    #timeout for sending statistics
+netflow_timeout=60
+</code>
+<note important>You should set your **own** values for the following parameters
+  * bras_arp_ip
+  * bras_arp_mac
+  * bras_gateway_ip
+  * bras_gateway_mac
+   </note>
+===== FastPCRF Setup =====
+FastPCRF needs to be configured. Edit the file ///etc/dpi/fastpcrf.conf// to do this. Find the line with the RADIUS server parameters and change:
+<code>
+     #secret123 - Radius secret
+     #192.168.1.10 - Radius server IP-address
+     #eth0 - FastPCRF interface "communicating" with the Radius server
+     #1812 - port to which FastPCRF sends authorization requests
+     #acct_port - port to which FasPCRF sends Accounting
+radius_server=secret123@192.168.1.10%eth0:1812;acct_port=1813
+</code>
+===== Radius Setup =====
+The setting is given as **an example** on freeRADIUS 3 and may differ from the configuration of your Radius server.
+==== VasExperts Dictionary ====
+First you need to add a VSA dictionary:
+  * copy the dictionary ///usr/share/dpi/dictionary.vasexperts// from the fastPCRF distribution to the //$freeRadius/share/freeradius// directory
+  * Добавляем в главный словарь //$freeRadius/share/freeradius/dictionary// строку:
+<code>
+$INCLUDE dictionary.vasexperts
+</code>
+==== Creating Radius Client ====
+Add the following lines to //raddb/clients.conf// of the Radius server
+<code>
+client fastdpi1 {
+	ipaddr		= 192.168.1.5
+	secret		= secret123
+	require_message_authenticator = yes
+#	add_cui = yes
+	virtual_server	= fastdpi-vs
+}
+</code>
+==== Creating a Virtual Server ====
+To create the configuration of the virtual server, copy the file //raddb/sites-available/default// in //raddb/sites-enabled/fastdpi-vs// (it is included in the FreeRadius supply), and then edit //fastdpi-vs//:
+  * set the name of the virtual server - change the line "server default" at the beginning of the file to "server fastdpi-vs"
+  * in the //listen// section for auth requests (type = auth), write which IP-address and which port listens to incoming requests (note that this is the local address of the Radius server):
+<code>
+ipaddr = 192.168.1.10
+port = 1812
+interface = eth0
+</code>
+==== Creating a User Account ====
+Add subscriber data to the ///etc/raddb/users// file:
+<code>
+testuser        Cleartext-Password := "VasExperts.FastDPI"
+        Framed-IP-Address = 192.168.2.199,
+        VasExperts-DHCP-DNS = 8.8.8.8,
+        VasExperts-Enable-Service = "9:on",
+	VasExperts-Policing-Profile = "100Mbps"
+	VasExperts-Service-Profile = "11:user_nat"
+</code>
+Also add two entries for FastPCRF in the file ///etc/raddb/users//:
+<code>
+VasExperts.FastDPI.unknownUser Cleartext-Password := "VasExperts.FastDPI"
+DEFAULT	Cleartext-Password := "VasExperts.FastDPI"
+</code>
+===== Router Setup =====
+On the router, add a static route to the subnet served by the DPI.
+<code>
+/ip route add dst-address=192.168.2.0/24 gateway=192.168.1.2
+</code>
+===== Test Subscriber Connection =====
+When an unknown subscriber is being connected, FastPCRF sends an Access-Request with the following content:
+<code>
+User-Name = testuser
+MS-CHAP-Challenge = 0xE193CBF29405D063646513166D33F57B
+MS-CHAP2-Response = 0x010041D33AE9751D811DBD4623CF8D9E0514000000000000000051760F288DC221D0DCE20CD196968607B56B72E72A852C25
+Calling-Station-Id = 18:0f:76:01:05:19
+Acct-Session-Id = C4C48F8E00000015
+Service-Type = Framed
+Framed-Protocol = 1
+NAS-Identifier = VasExperts.FastDPI
+VasExperts-Service-Type = 4
+Message-Authenticator = 0x26FE6195DAAC29492B03A3F0B07D638D
+</code>
+Access-Accept example on successful authorization:
+<code>
+Framed-IP-Address = 192.168.2.199
+VasExperts-DHCP-DNS = 8.8.8.8
+VasExperts-Enable-Service = 9:on
+VasExperts-Service-Profile = 11:user_nat
+MS-CHAP2-Success = 0x01533D34313746393641463434423233313445443043324433434439353437354336443738304532363832
+MS-MPPE-Recv-Key = 0x820F64564914155A4C24C039874650715FF81E2B5AA461668DA05CF6FF1926077290
+MS-MPPE-Send-Key = 0x8BA29098E69F39844E2FD74C5BD3FB0E7FD998348401E56379655D1E7DEA6310505E
+MS-MPPE-Encryption-Policy = 0x00000001
+MS-MPPE-Encryption-Type = 0x00000006
+VasExperts-User-Name = testuser
+</code>
+===== Troubleshooting =====
+When implementing L2 BRAS/BNG, various errors may occur, so that subscribers cannot be authorized and get access to the Internet. Below are the most common problems:
+==== No authorization requests. ====
+Check if fastpcrf process is running. Check if the server Radius address is specified correctly.
+==== I can ping DPI, but the ping does not reach the border. ====
+  - It is necessary to specify a static route to subscribers on the border. It is necessary to specify where the border has to route the traffic, since DPI is not yet able to announce the subscriber subnets it serves.
+  - In the case of using NAT, a similar route is required for the subscriber’s subnets used in NAT.
+  - Check if **bras_gateway_ip** and **bras_gateway_mac** parameters are set correctly.
+==== Statistics are not sent for Accounting. ====
+  - Check if the port for receiving statistics is allowed in the Firewall (1813 by default) on the Radius server.
+  - Check if the service 9 is activated for the subscriber.
+  - Check if accounting is enabled in DPI configuration settings.
+  - Check if the correct value is specified for the Netflow parameter.
+==== CoA does not reach BRAS/BNG. ====
+Check if the port for receiving CoA is allowed in the Firewall (3799 by default) on the server with FastPCRF.