Configuration [Документация VAS Experts]
Документация VAS Experts Документация VAS Experts-mobile
in

Settings

  • Show page
  • Old revisions
  • Export to PDF
  • Fold/unfold all
  • Backlinks
  • Show page
  • Old revisions
  • Export to PDF
  • Fold/unfold all
  • Backlinks

    • Differences

    This shows you the differences between two versions of the page.

    Link to this comparison view

    Both sides previous revisionPrevious revision
    Next revision    		Previous revision
    en:dpi:dpi_components:radius:radius_config:start [2023/11/07 09:41] – [CIDR-based NAT Connection] elena.krasnobryzhen:dpi:dpi_components:radius:radius_config:start [Unknown date] (current) – removed - external edit (Unknown date) 127.0.0.1
    Line 1: Line 1:
    -====== Configuration ====== 
    -{{indexmenu_n>3}} 
    -Radius Accounting needs to be put into the DPI device ports along with the network traffic. This can be done by mirroring the ports to which the Radius server is connected. 
      
    -===== TAP Interfaces Setup ===== 
    -Radius Monitor can be launched on the same server as FastDPI or it can be placed on an external server. To allocate the necessary traffic, two virtual interfaces TAP0 and TAP1 are used.\\ 
    -{{:dpi:dpi_components:radius:radius_config:radius_monitor_dpdk.png?600|Placing Radius monitor on the same server. Bridge used.}}\\ 
    -**Placing Radius monitor on the same server. Bridge is used.**\\ 
    -\\ 
    -\\ 
    -{{:dpi:dpi_components:radius:radius_config:radius_monitor_dpdk_tunnel.png?600|Placing Radius monitor on an external server. Tunnel used.}}\\ 
    -**Placing Radius monitor on an external server. Tunnel is used.** 
    -  * TAP0 - is used for traffic steering 
    -  * TAP1 - listens to Radius Monitor 
    -  * A Bridge or Tunnel is created between TAP0 and TAP1 to transfer traffic. 
    -  * Mac learning is disabled on the TAP0 interface 
    -Run the following commands from the console: 
    -<code> 
    -ip tuntap add tap0 mode tap 
    -ip tuntap add tap1 mode tap 
    - 
    -ip link set dev tap0 up 
    -ip link set dev tap1 up 
    - 
    -ip link add br0 type bridge 
    - 
    -ip link set tap0 master br0 
    -bridge link set dev tap0 learning off 
    -ip link set tap1 master br0 
    - 
    -ifconfig tap0 192.168.4.20 up 
    -ifconfig tap1 192.168.4.21 up 
    -ifconfig br0 up 
    -</code> 
    -<note warning>Attention: TAP interfaces must be started after server restart!</note> 
    - 
    -===== Traffic Steering Setup ===== 
    -Connect the traffic steering service to FastDPI: 
    -<code> 
    -fdpi_ctrl load profile --service 14 --profile.name radius  --profile.json '{ "typedev" : "tap","dev" : "tap0","udp" : [ 1813,1814,1815 ] }' --outformat=json  
    -fdpi_ctrl load --service 14 --profile.name radius --ip 10.16.252.11 
    -fdpi_ctrl load --service 14 --profile.name radius --ip 10.16.252.12 
    -</code> 
    -here: 
    -  * 1813,1814,1815 - ports on which Radius Accounting is transmitted 
    -  * 10.16.252.11,10.16.252.12 - Radius servers' IP addresses, from which Radius Accounting is sent. 
    - 
    -===== Radius Monitor Setup ===== 
    -<note important>Radius events monitor is configured by the file **/etc/dpi/fdpi_radius.conf.**</note> 
    -<code> 
    -# FastDPI RADIUS configuration parameters: 
    -# listening interface name 
    -in_dev=tap1 
    -# listening port number (or a list of ports separated by commas) with Radius Accounting packets 
    -rad_acct_port=1813,1814,1815 
    -# save bad PDUs in pcap format for analysis 
    -rad_save_pdu=0 
    -# analyze PDU with code 2 and 4 
    -rad_check_code_pdu=2:4 
    -# analyze PDU with status 1 and 3 
    -rad_check_acct_status_type=1:3 
    -# initialize memory at start  
    -mem_preset=1 
    -# List of DPI servers, to send data to 
    -fdpi_servers=127.0.0.1:29000,123.45.67.85:29000 
    - 
    -# stream processing setup (it is recommended to use the values from the example) 
    -num_threads=1 
    -rx_bind_core=0 
    -services_bind_cores=0 
    -engine_bind_cores=0 
    -fifo_bind_cores=0 
    -snaplen=2000 
    -timeout_alarm=5 
    -dbg_log_mask=0x31 
    -</code> 
    - 
    -===== CIDR-based NAT Connection ===== 
    -Create named NAT profiles at FastDPI: 
    -<code> 
    -fdpi_ctrl load profile --service 11 --profile.name nat_profile_all --profile.json '{ "nat_ip_pool" : "5.200.43.0/24,5.200.44/25", "nat_tcp_max_sessions" : 2000, "nat_udp_max_sessions" : 2000 }' 
    -</code> 
    -In Radius monitor configuration file /etc/dpi/fdpi_radius.nat address ranges and their corresponding nat profile names are specified 
    -<code> 
    -example: 
    -0.0.0.0/              nat_profile_all 
    -10.0.0.0/            nat_profile_1 
    -10.1.1.0/24           nat_profile_2 
    -when there is a more specific profile for an address, then it is selected. 
    -</code> 
    - 
    -<note>Parameter description [[en:dpi:opt_cgnat:сgnat_settings:start#parameters_and_possible_values|at the link]]</note> 
    -===== IPv6 Support ===== 
    -The file /etc/dpi/fdpi_radius.conf specifies the configuration parameters 
    -<code> 
    -bind_ipv6_address=0 (by default - do not bind the address with the subscriber), 1 - to bind (binding similar to the bind command in fdpi_ctrl). The address is taken from the attribute radius Framed-IPv6-Address (168) 
    -bind_ipv6_subnet=0 (by default - do not bind), 64 (bind only for /64 subnets), 1 - bind for any subsets. Subnet is taken from the Delegated-IPv6-Prefix radius attribute (123) 
    -</code> 
    -The subscriber is identified by the radius attribute User-Name or Calling-Station-ID (depending on the login_replace setting) 
    -<note>The current version only supports fixed-length IPv6 subnets (default /64), so linking smaller subnets will result in an error.</note>  
    - 
    -===== Subscribers Identification in mobile networks ===== 
    -In the configuration file /etc/dpi/fdpi_radius.conf specify the parameter: 
    -<code> 
    -login_replace=1 
    -</code> 
    -in this case, the radius attribute Calling-Station-ID is used instead of User-Name to identify the subscriber if it is present in the radius of the packet. 
    - 
    -===== Radius Monitor Additional Settings ===== 
    -<code> 
    -# FastDPI RADIUS configuration parameters: 
    -   # outgoing interface name, if the Monitor operates in traffic pass mode 
    -#out_dev=dna1 
    - 
    -   # enable emulation of the redundant Radius server 
    -#rad_server_emulation=1 
    - 
    -   # enable emulation of the network card 
    -#rad_virtual_eth=172.17.69.10/D4:AE:52:C1:A7:29 
    - 
    -   # secret value for generating responses in the server Radius emulation mode 
    -#rad_secret=mysecretkey 
    - 
    -   # add region prefixes to subscriber names (LOGIN) 
    -#rad_prefix_info=1 
    - 
    -   # listening port number (or a list of ports separated by commas) with Radius Authentication packets 
    -#rad_auth_port=1645 
    - 
    -   # allow multiple IPs on the same USER-NAME see command load --bind_multi, warning: if the order of bind/unbind in the radius stream is not maintained or there are packet losses (for example, a mirror), then artifacts are possible 
    -#bind_multi=true 
    -</code> 
    - 
    -==== Addition of subscriber names (LOGIN) with region prefixes ==== 
    -This is used when the Radius monitor and SSG serve several regions, and the user-name in different regions can overlap with other regions, so they can be separated into different login\\ 
    - 
    -1. Turn on the setting rad_prefix_info=1\\ 
    - 
    -2. Add \\ to the file /etc/dpi/prefixes.info 
    -<code> 
    -172.17.76.1 MSK- 
    -172.17.76.2 MSK- 
    -172.17.76.3 SPB- 
    -172.17.76.4 SPB- 
    -172.17.76.5SPB- 
    -</code> 
    -where:\\ 
    -the first field is the NAS-IP-Address from the Radius package\\ 
    -second field - what prefix will be added to login\\ 
    - 
    -See also: [[en:dpi:dpi_components:radius:radius_admin:start|Administration]]