Differences

This shows you the differences between two versions of the page.

--- en:dpi:bras_bng:use_cases:dpi_bestpractice_brasl2radiusproxy [2023/08/30 08:55] – elena.krasnobryzh
+++ en:dpi:bras_bng:use_cases:dpi_bestpractice_brasl2radiusproxy [2024/09/26 15:29] (current) – external edit 127.0.0.1
@@ Line 1: / Line 1: @@
-====== dpi_bestpractice_brasl2radiusproxy ======
+====== BRAS L2 DHCP Radius Proxy Example ======
+{{indexmenu_n>2}}
+===== Description =====
+{{ :en:dpi:bras_bng:use_cases:dpi_bestpractice_brasl2radiusproxy:bras_l2_dhcp_radius_proxy.png?nolink&900 |}}
+BRAS DHCP L2 mode means that the subscriber recieves an IP-address via DHCP Proxy and proceeds to ААА in the Billing system. Then the subscriber is terminated by Stingray Service Gateway(SSG) and transferred to border equipment.
+The following elements are involved in the SSG operation scheme in BRAS L2 DHCP Radius Proxy mode:
+  - Client with Q-in-Q access type
+  - FastDPI - traffic processing and policing
+  - FastPCRF - proxying requests between fastDPI and Radius
+  - Radius server - accepts requests from fastPCRF and generates responses with specified attributes
+  - Router - is responsible for packets transmission to the Internet and the backward routing. At the moment the Static Route scenario and the scenario with [[en:dpi:dpi_components:router|OSPF and BGP routing configuration]] on SSG are possible.
+===== Scenario =====
+{{ :en:dpi:bras_bng:use_cases:dpi_bestpractice_brasl2radiusproxy:scenario_dhcp.png?nolink&700 |}}
+By DHCP request - In this case, when BRAS fixes DHCP requests from the subscriber network, it generates the corresponding Radius requests to obtain DHCP lease parameters that are communicated to the subscriber. In addition, in response to DHCP authentication, you can also transmit session parameters affecting the passage of subscriber traffic. When passed, the Session-Timeout is the lease time. When obtaining DHCP and traffic (IP) parameters separately, you can specify different Session-Timeout values, which, of course, will be quite convenient, for example, issue a lease time of 6 hours, but at the same time re-authorize traffic parameters every hour.
+The subscriber's equipment identifier is the MAC address, VLAN number or the values of the Option-82 fields.
+===== FastDPI Setup =====
+==== Editing the DPI Configuration File ====
+First, you need to uncomment (add) the following lines to the /etc/dpi/fastdpi.conf configuration file.
+<code>
+# enable internal database of user properties
+udr=1
+# activates L2 BRAS mode
+bras_enable=1
+enable_auth=1
+# DPI "virtual" IP address (must be unique on the network)
+bras_arp_ip=192.168.1.2
+# "virtual" DPI MAC address (you should use the real MAC address of any of the DNA interfaces)
+bras_arp_mac=a0:36:9f:77:26:58
+#border IP-address
+bras_gateway_ip=192.168.1.1
+#MAC address of the border’s interface to which DPI is connected
+bras_gateway_mac=c4:71:54:4b:e7:8a
+# server data where FastPCRF is installed (if the same server, do not change)
+auth_servers=127.0.0.1%lo:29002
+# enable DHCP Radius Proxy mode
+bras_dhcp_mode=2
+# vlan termination (this value means tag will be removed)
+bras_vlan_terminate=1
+# MAC-addresses replacement
+bras_terminate_l2=1
+# traffic termination only for AS, marked as "term" (useful if traffic that does not need to be terminated also passes through DPI)
+bras_term_by_as=1
+# local traffic interconnection
+bras_terminate_local=1
+# enable accounting
+enable_acct=1
+# subscriber billing statistics
+netflow=4
+# timeout for sending statistics
+netflow_timeout=60
+</code>
+<note important>You should set **your own** values for the following parameters
+  * bras_arp_ip
+  * bras_arp_mac
+  * bras_gateway_ip
+  * bras_gateway_mac
+   </note>
+==== AS Specification for Termination ====
+The next step is to mark the AS traffic that has to be terminated.
+The AS list is prepared in text format, each entry on a new line in the format CIDR<space>AS_number:
+<code>
+.168.2.0/24 65550
+</code>
+Then it is converted into an internal format by the as2bin utility and placed in the file ///etc/dpi/aslocal.bin//, where DPI will pick it up. The address ranges specified in the list will be added to the global list.
+<code>
+cat aslocal.txt | as2bin /etc/dpi/aslocal.bin
+</code>
+The list of local AS to be terminated is prepared in a text file in the format AS_number<space>flag:
+<code>
+local
+term
+</code>
+To convert into internal format and place into the main directory, where the DPI will pick the settings up:
+<code>
+cat my_as_dscp.txt | as2dscp /etc/dpi/asnum.dscp
+</code>
+===== FastPCRF Setup =====
+To configure FastPCRF, edit the file ///etc/dpi/fastpcrf.conf//. Find the line with the RADIUS server parameters and change
+<code>
+     #secret123 - Radius secret
+     #192.168.1.10 - IP address of Radius server
+     #eth0 - the interface from which FastPCRF communicates with the Radius server
+     #1812 - the port to which FastPCRF sends authorization requests
+     #acct_port - the port that FasPCRF sends Accouting to
+radius_server=secret123@192.168.1.10%eth0:1812;acct_port=1813
+</code>
+===== Radius Setup =====
+The setup is given as **an example** on freeRADIUS 3 and may differ from the configuration of your Radius server.
+==== VasExperts Dictionary ====
+First you need to add a VSA dictionary
+  * Copy the dictionary /usr/share/dpi/dictionary.vasexperts from the fastPCRF distribution into $freeRadius/share/freeradius directory
+  * Add the following line to the main dictionary $freeRadius/share/freeradius/dictionary:
+<code>
+$INCLUDE dictionary.vasexperts
+</code>
+==== Creating Radius Client ====
+Add the following lines to raddb/clients.conf of the Radius server
+<code>
+client fastdpi1 {
+	ipaddr		= 192.168.1.5
+	secret		= secret123
+	require_message_authenticator = yes
+#	add_cui = yes
+	virtual_server	= fastdpi-vs
+}
+</code>
+==== Creating a virtual server ====
+To create a virtual server configuration, copy the included in the FreeRadius file raddb/sites-available/default, to raddb/sites-enabled/fastdpi-vs. Then edit fastdpi-vs:
+  * set the name of the virtual server - change the 'server default' line at the beginning of the file to 'server fastdpi-vs'
+  * in the 'listen' section for auth requests (type = auth), set IP-addresses and ports that will listen to the incoming requests (note that this is the local address of the Radius server):
+<code>
+ipaddr = 192.168.1.10
+port = 1812
+interface = eth0
+</code>
+==== Creating an account for authorization ====
+Add subscriber data to the file ///etc/raddb/users//
+<code>
+testuser        Cleartext-Password := "VasExperts.FastDPI"
+        Framed-IP-Address = 192.168.2.199,
+        VasExperts-DHCP-DNS = 8.8.8.8,
+        VasExperts-Enable-Service = "9:on",
+	VasExperts-Policing-Profile = "100Mbps"
+	VasExperts-Service-Profile = "11:user_nat"
+</code>
+Two more lines for FastPCRF should also be added to the file ///etc/raddb/users//
+<code>
+VasExperts.FastDPI.unknownUser Cleartext-Password := "VasExperts.FastDPI"
+DEFAULT	Cleartext-Password := "VasExperts.FastDPI"
+</code>
+===== Router Setup =====
+On the router, add a static route to the subnet served by the SSG.
+<code>
+/ip route add dst-address=192.168.2.0/24 gateway=192.168.1.2
+</code>
+===== Connecting a Test Subscriber =====
+When an unknown subscriber is connected, FastPCRF sends an Access-Request with the following content:
+<code>
+User-Name = "A0:36:9F:77:26:58"
+User-Password = "VasExperts.DPI"
+Calling-Station-Id = "a0:36:9f:77:26:58"
+NAS-Port-Type = 5
+NAS-Port = 100
+NAS-Identifier = "VasExperts.FastDPI"
+Service-Type = 2
+VasExperts-Service-Type =1
+VasExperts-DHCP-Request = Discover
+VasExperts-DHCP-RelayRemoteId = 0x3137322e31372e312e32
+VasExperts-DHCP-RelayCurcuitId = 0x000601360100000a
+</code>
+<note tip>By default FastPCRF puts the subscriber's MAC address in the User-Name field. In the FastPCRF configuration file it is possible to specify what should be used as a login (for example, QinQ tag)</note>
+When the subscriber is authorized successfully, FastPCRF expects to receive a list of necessary services and a tariff for this subscriber in Access-Accept in addition to other network parameters.
+<code>
+Session-Timeout = 84600
+User-Name = "Subscriber001"
+Framed-IP-Address = 10.0.0.10
+Framed-IP-Netmask = 255.255.255.0
+VasExperts-DHCP-Gateway = 10.0.0.1
+VasExperts-DHCP-DNS = 8.8.8.8
+VasExperts-DHCP-DNS = 8.8.4.4
+VasExperts-Policing-Profile = "100Mbps"
+VasExperts-Service-Profile = "11:CG_NAT_POOL_1"
+VasExperts-Service-Enable = "9:on"
+</code>
+===== Troubleshooting =====
+When implementing L2 BRAS, some errors may occur, when the subscribers cannot be authorized and connected to the Internet. Below are the most common problems:
+==== There are no authorization requests ====
+Check if fastPCRF process is running and if the server Radius address is specified correctly.
+==== Authorization requests do not reach the Radius server ====
+Check if the Firewall's port is allowed to receive authorization requests (by default 1812) on the Radius server.
+==== I can ping DPI, but the ping does not reach the border ====
+  - It is necessary to set a static route towards the subscribers on the border. Since DPI is not able to announce the subscriber subnets that it serves yet, it is necessary to indicate the border where to route the traffic.
+  - In the case of using NAT for subscribers, a similar route is required for the subnets used in NAT.
+  - Сheck if the parameters **bras_gateway_ip** and **bras_gateway_mac** are set correctly.
+==== Statistics for Accounting is not sent ====
+  - Check if the port for receiving statistics is allowed in the Firewall (by default 1813) on the Radius server.
+  - Check if service 9 is activated for the subscriber.
+  - Check if accounting is enabled in DPI configuration settings.
+  - Check if the correct value is specified for the Netflow parameter.
+==== CoA does not reach BRAS ====
+Check if the port for receiving CoA (3799 by default) is allowed in the Firewall on the server with FastPCRF.