| Next revision | Previous revision |
| en:dpi:dpi_components:freeradius:local_auth [2025/12/18 07:37] – created elena.krasnobryzh | en:dpi:dpi_components:freeradius:local_auth [2026/03/13 07:36] (current) – elena.krasnobryzh |
|---|
| |
| ===== FreeRADIUS configuration ===== | ===== FreeRADIUS configuration ===== |
| - **Disabling EAP.** within this build, disabling is not strictly required, but EAP may cause errors when enabling the ''radiusd'' unit, so it is recommended to disable it. go to the directory ''/etc/raddb/sites-available/default | - **Disabling EAP.** Within this build, complete removal is not required, but EAP may cause errors when enabling the ''radiusd'' unit, so it should be disabled. Go to the configuration files ''/etc/raddb/sites-available/default'' and ''/etc/raddb/sites-enabled/inner-tunnel''\\ Disable EAP in the following sections:<code bash>authorize { |
| /etc/raddb/sites-enabled/inner-tunnel''\\ | |
| Disable EAP in the following sections: | |
| <code bash> | |
| authorize { | |
| # eap { | # eap { |
| # ok = return | # ok = return |
| post-proxy { | post-proxy { |
| # eap | # eap |
| </code> | </code> Also, if necessary, remove the EAP file from the module ''/etc/raddb/mods-enabled/eap''. |
| If necessary, also remove EAP files from the modules ''/etc/raddb/mods-available/eap'' and ''/etc/raddb/mods-enabled/eap''. | - **Client/NAS configuration.** clients here refer to RADIUS clients, in this case — fastPCRF.\\ If the FreeRADIUS server is deployed on the same node as fastPCRF, no additional configuration is required — it is enough to verify the default configuration in the file ''/etc/raddb/clients.conf''.\\ If a remote NAS needs to be defined, use the same file and add a client description, for example:<code bash> |
| - **Client/NAS configuration.** clients here refer to RADIUS clients, in this case — fastPCRF.\\ | |
| If the FreeRADIUS server is deployed on the same node as fastPCRF, no additional configuration is required — it is enough to verify the default configuration in the file ''/etc/raddb/clients.conf''.\\ | |
| If a remote NAS needs to be defined, use the same file and add a client description, for example: | |
| <code bash> | |
| client fastpcrf1 { | client fastpcrf1 { |
| ipaddr = < IP > | ipaddr = < IP > |
| secret = < SECRET > | secret = < SECRET > |
| require_message_authenticator = yes | require_message_authenticator = yes |
| } | }</code> |
| </code> | - **Subscriber authorization.** it is required to configure an Access-Accept template that will be generated by FreeRADIUS. to do this, add configuration to the file ''/etc/raddb/users'', explicitly allowing authorization of all requests regardless of attributes, username, or authorization type.<code bash>DEFAULT Auth-Type := Accept |
| - **Subscriber authorization.** it is required to configure an Access-Accept template that will be generated by FreeRADIUS. to do this, add configuration to the file ''/etc/raddb/users'', explicitly allowing authorization of all requests regardless of attributes, username, or authorization type. | |
| <code bash> | |
| DEFAULT Auth-Type := Accept | |
| User-name = "%{User-name}", | User-name = "%{User-name}", |
| VasExperts-L2-User = 1, | VasExperts-L2-User = 1, |
| VasExperts-DHCP-DNS = "8.8.8.8", | VasExperts-DHCP-DNS = "8.8.8.8", |
| VasExperts-DHCP-DNS = "8.8.4.4" | VasExperts-DHCP-DNS = "8.8.4.4" |
| </code> | </code>This template is suitable for all authorization types (DHCP, IPoE static L2, PPPoE). if the Framed-IP-Address attribute is absent in the Access-Request, FreeRADIUS sends Access-Accept with Framed-IP-Address = 0.0.0.0. fastPCRF ignores an attribute with this value, and IP address assignment is performed based on the Framed-Pool attribute. to allocate addresses from Framed-Pool, a local DHCP server must be installed and configured on the server. [[en:dpi:bras_bng:ip_pool|more details]] |
| This template is suitable for all authorization types (DHCP, IPoE static L2, PPPoE). if the Framed-IP-Address attribute is absent in the Access-Request, FreeRADIUS sends Access-Accept with Framed-IP-Address = 0.0.0.0. fastPCRF ignores an attribute with this value, and IP address assignment is performed based on the Framed-Pool attribute. to allocate addresses from Framed-Pool, a local DHCP server must be installed and configured on the server. [[en:dpi:bras_bng:ip_pool|more details]] | - **fastPCRF settings.** configure the RADIUS server. when using a standby server, specify it after the line with the primary ''radius_server''.<code bash>radius_server=secret@127.0.0.1%lo:1812;acct_port=1813</code> |
| - **fastPCRF settings.** configure the RADIUS server. when using a standby server, specify it after the line with the primary ''radius_server''. | - **Verification.** first, check the FreeRADIUS configuration using the command ''radiusd –CX''.\\Then start RADIUS in debug mode using ''radiusd –X'' — all message processing will be shown in the CLI and errors will be clearly visible.\\Check authorization from the PCRF side in the file ''/var/log/dpi/fastpcrf_ap2.log''. if the system operates correctly, start FreeRADIUS in normal mode and enable autostart:<code bash>systemctl start radiusd |
| <code bash> | systemctl enable radiusd</code> |
| radius_server=secret@127.0.0.1%lo:1812;acct_port=1813 | |
| </code> | |
| - **Verification.** first, check the FreeRADIUS configuration using the command ''radiusd –CX''.\\ | |
| Then start RADIUS in debug mode using ''radiusd –X'' — all message processing will be shown in the CLI and errors will be clearly visible.\\ | |
| Check authorization from the PCRF side in the file ''/var/log/dpi/fastpcrf_ap2.log''. if the system operates correctly, start FreeRADIUS in normal mode and enable autostart: | |
| <code bash> | |
| systemctl start radiusd | |
| systemctl enable radiusd | |
| </code> | |
| |
| ===== Access-Accept template variants for different authorization types (L3, DHCP, PPPoE) ===== | ===== Access-Accept template variants for different authorization types (L3, DHCP, PPPoE) ===== |
