Differences

This shows you the differences between two versions of the page.

--- en:dpi:dpi_bestpractice:dpi_bestpractice_brasl2radiusproxy [2020/08/26 12:15] – edrudichgmailcom
+++ en:dpi:dpi_bestpractice:dpi_bestpractice_brasl2radiusproxy [2023/08/28 14:44] (current) – removed edrudichgmailcom
@@ Line 1: / Line 1: @@
-====== BRAS L2 DHCP Radius Proxy Example ======
-{{indexmenu_n>8}}
-===== Description =====
-{{ :dpi:dpi_bestpractice:bras_l2_dhcp_radius_proxy.png?direct&600 |}}
-BRAS DHCP L2 mode means that the subscriber recieves an IP-address via DHCP Proxy and proceeds to ААА in the Billing system. Then the subscriber is terminated by VAS Experts DPI and transferred to border equipment.
-The following elements are involved in the VAS Experts DPI operation scheme in BRAS L2 DHCP Radius Proxy mode:
-  - Client with Q-in-Q access type
-  - FastDPI - traffic processing and policing
-  - FastPCRF - proxying requests between fastDPI and Radius
-  - Radius server - accepts requests from fastPCRF and generates responses with specified attributes
-  - Router - is responsible for packets transmission to the Internet and the backward routing. It is necessary to specify the Static Route, since VAS Experts DPI does not support OSPF and BGP at the moment.
-===== Scenario =====
-===== FastDPI Setup =====
-==== Editing the DPI Configuration File ====
-First, you need to uncomment (add) the following lines to the /etc/dpi/fastdpi.conf configuration file.
-<code>
-    #enabling internal database of user properties
-udr=1
-    #enabling the authorization by IP mode
-enable_auth=1
-    #enabling L2 BRAS mode
-bras_enable=1
-    #"virtual" IP address of DPI (must be unique on the network)
-bras_arp_ip=192.168.1.2
-    #"virtual" MAC address of DPI (use the real MAC address of any of the DNA interfaces)
-bras_arp_mac=a0:36:9f:77:26:58
-    #IP address of the border
-bras_gateway_ip=192.168.1.1
-    #MAC address of the interface to which DPI is connected on the border
-bras_gateway_mac=c4:71:54:4b:e7:8a
-    #server data which Fastpcrf is installed on (if it is the same where Fastdpi is installed, do not change)
-auth_servers=127.0.0.1%lo:29002
-	#enabling of DHCP Relay Agent mode
-bras_dhcp_mode=1
-	#192.168.10.2 – IP-address of DHCP-server
-	#veth0 – the name of the network interface that communicates with the DHCP server
-	#67 – port, default value: 68
-	#arp_proxy - lag in response to ARP requests for the DHCP-server IP-address
-	#alias_ip - DHCP server alias
-	#reply_port - port that recieves for responses from the DHCP server
-bras_dhcp_server=192.168.10.2%veth0:67;arp_proxy=1;alias_ip=192.168.1.4;reply_port=67
-    #vlan termination (in this case the tag will be cut out)
-bras_vlan_terminate=1
-    #MAC spoofing
-bras_terminate_l2=1
-    #local traffic interconnection
-bras_terminate_local=1
-    #enabling accounting
-enable_acct=1
-    #subscribers billing statistics
-netflow=4
-    #timeout for sending statistics
-netflow_timeout=60
-</code>
-<note important>You should set **your own** values for the following parameters
-  * bras_arp_ip
-  * bras_arp_mac
-  * bras_gateway_ip
-  * bras_gateway_mac
-   </note>
-===== FastPCRF Setup =====
-To configure FastPCRF, edit the file ///etc/dpi/fastpcrf.conf//. Find the line with the RADIUS server parameters and change
-<code>
-     #secret123 - Radius secret
-     #192.168.1.10 - IP address of Radius server
-     #eth0 - the interface from which FastPCRF communicates with the Radius server
-     #1812 - the port to which FastPCRF sends authorization requests
-     #acct_port - the port that FasPCRF sends Accouting to
-radius_server=secret123@192.168.1.10%eth0:1812;acct_port=1813
-</code>
-===== Radius Setup =====
-The setup is given as **an example** on freeRADIUS 3 and may differ from the configuration of your Radius server.
-==== VasExperts Dictionary ====
-First you need to add a VSA dictionary
-  * Copy the dictionary /usr/share/dpi/dictionary.vasexperts from the fastpcrf distribution into $freeRadius/share/freeradius directory
-  * Add the following line to the main dictionary $freeRadius/share/freeradius/dictionary:
-<code>
-$INCLUDE dictionary.vasexperts
-</code>
-==== Creating Radius Client ====
-Add the following lines to raddb/clients.conf of the Radius server
-<code>
-client fastdpi1 {
-	ipaddr		= 192.168.1.5
-	secret		= secret123
-	require_message_authenticator = yes
-#	add_cui = yes
-	virtual_server	= fastdpi-vs
-}
-</code>
-==== Creating a virtual server ====
-To create a virtual server configuration, copy the included in the FreeRadius file raddb/sites-available/default, to raddb/sites-enabled/fastdpi-vs. Then edit fastdpi-vs:
-  * set the name of the virtual server - change the 'server default' line at the beginning of the file to 'server fastdpi-vs'
-  * in the 'listen' section for auth requests (type = auth), set IP-addresses and ports that will listen to the incoming requests (note that this is the local address of the Radius server):
-<code>
-ipaddr = 192.168.1.10
-port = 1812
-interface = eth0
-</code>
-==== Creating an account for authorization ====
-Add subscriber data to the file ///etc/raddb/users//
-<code>
-testuser        Cleartext-Password := "VasExperts.FastDPI"
-        Framed-IP-Address = 192.168.2.199,
-        VasExperts-DHCP-DNS = 8.8.8.8,
-        VasExperts-Enable-Service = "9:on",
-	VasExperts-Policing-Profile = "100Mbps"
-	VasExperts-Service-Profile = "11:user_nat"
-</code>
-Two entries for FastPCRF should also be added to the file ///etc/raddb/users//
-<code>
-VasExperts.FastDPI.unknownUser Cleartext-Password := "VasExperts.FastDPI"
-DEFAULT	Cleartext-Password := "VasExperts.FastDPI"
-</code>