Differences

This shows you the differences between two versions of the page.

--- en:dpi:dpi_components:radius:radius_requirements [2018/03/19 12:04] – created lexx26
+++ en:dpi:dpi_components:radius:radius_requirements [2025/09/03 08:04] (current) – [IPv6 Support] elena.krasnobryzh
@@ Line 1: / Line 1: @@
-====== 1 Hardware requirements ======
+====== Description and Configuration ======
+{{indexmenu_n>1}}
+FastRADIUS (RADIUS Event Monitor) is designed to create an IP-LOGIN binding in DPI in networks with dynamic IP address assignment based on RADIUS Accounting (Mapping IP-LOGIN). \\
+FastRADIUS supports the following commands in FastDPI: \\
+  - [[en:dpi:dpi_components:platform:subscriber_management:dpi_dynamicip|Support for subscribers with single IPv4 address and IPv6 subnet]] \\ Binding IP address to LOGIN:<code bash>fdpi_ctrl load --bind --user user_name:ip_address</code> Removing IP <-> login binding: <code bash>fdpi_ctrl del --bind --login user_name</code>
+  - [[en:dpi:dpi_components:platform:subscriber_management:dpi_ipmulti|]] \\ Binding IP address or IP block to LOGIN: <code bash>fdpi_ctrl load --bind_multi --user user_name:ip_address_or_block</code> Removing one of IPs bound to LOGIN:<code bash>fdpi_ctrl del --bind_multi --ip ip_address</code>
+It is also possible to assign CG-NAT ([[dpi:opt_cgnat|service 11]]) based on specified parameters.
+====== Operation Schemes ======
+===== Recommended Scheme: Receiving RADIUS Accounting Traffic on a Dedicated Linux Interface Not Connected to FastDPI =====
+RADIUS Accounting is delivered to FastRADIUS on a standard Linux interface specified in the configuration file (''in_dev'') by mirroring existing RADIUS traffic or using a RADIUS proxy (e.g., [[en:dpi:dpi_components:freeradius|FreeRADIUS]]). In this case, FastRADIUS only receives the mirror and does not respond to the RADIUS server.
+Interaction with standard Linux interfaces is handled via ''libpcap''.
+{{ :dpi:dpi_components:radius:recommended_scheme.png?nolink&600 |}}
+==== Minimum FastRADIUS Configuration ====
+Settings are located in the file ''/etc/dpi/fdpi_radius.conf''.
+To apply the configuration, restart the service:
+<code bash>systemctl restart fastradius</code>
+  * ''in_dev=eth0'' — name of the listening Linux interface
+  * ''rad_acct_port=1813,1814,1815'' — listening port number (or comma-separated list of ports) for Radius Accounting packets
+  * ''save_pdu_proto=0'' — save PDU in pcap format for analysis. Set by bitmask:
+    * ''0x00'' — write nothing
+    * ''0x01'' — broken/unparsed RADIUS packets
+    * ''0x02'' — all RADIUS packets
+    * ''0x04'' — broken/unparsed DIAMETER packets
+    * ''0x08'' — all DIAMETER
+    * ''0x10'' — broken TACACS+ packets
+    * ''0x20'' — all TACACS+ packets
+  * ''rad_check_code_pdu=2:4'' — analyze PDU with codes 2 and 4
+  * ''rad_check_acct_status_type=1:3'' — analyze PDU with statuses 1 and 3
+  * ''mem_preset=1'' — initialize memory on startup
+  * ''fdpi_servers=127.0.0.1:29000,123.45.67.85:29000'' — list of DPI servers to send data to, where 29000 is the default control port
+===Stream Processing Configuration===
+<note tip>Using the provided values is recommended</note>
+  * ''num_threads=1''
+  * ''rx_bind_core=0''
+  * ''services_bind_cores=0''
+  * ''engine_bind_cores=0''
+  * ''fifo_bind_cores=0''
+  * ''snaplen=2000''
+  * ''timeout_alarm=5''
+  * ''dbg_log_mask=0x31''
+===Configuration for Exporting RADIUS Events to an External Collector===
+  * ''ipfix_dev=eno8'' — name of the Linux interface for IPFIX export. [[en:dpi:dpi_components:radius:radmon_acct_ipfix|]]\\
+  * ''ipfix_tcp_collectors=172.32.0.239:1502'' — IPFIX collector address
+===== Alternative Scheme: Diverting RADIUS Accounting Traffic from FastDPI DPDK Interfaces =====
+RADIUS Accounting must be fed into the DPI device ports along with network traffic. This can be achieved by mirroring the ports connected to the RADIUS server. In this case, FastRADIUS only receives the mirror and does not respond to the RADIUS server.
+==== TAP Interface Configuration ====
+FastRADIUS can run on the same server as FastDPI or be deployed on an external server. Two virtual interfaces, TAP0 and TAP1, are used to isolate the required traffic.
+Specify the port in the configuration:
+<code bash>
+in_dev=tap1
+</code>
+**Deploying Radius Monitor on the Same Server. Using a Bridge:**
+{{ :dpi:dpi_components:radius:alternative_scheme_bridge.png?nolink&600 |}}
+**Deploying Radius Monitor on an External Server. Using a Tunnel:**
+{{ :dpi:dpi_components:radius:alternative_scheme_tunnel.png?nolink&700 |}}
+  * TAP0 — used for traffic diversion
+  * TAP1 — listened on by Radius Monitor
+  * A Bridge or Tunnel is created between TAP0 and TAP1 for traffic forwarding.
+  * MAC learning is disabled on the TAP0 interface
+Execute the following commands from the console:
+<code bash>
+ip tuntap add tap0 mode tap
+ip tuntap add tap1 mode tap
+ip link set dev tap0 up
+ip link set dev tap1 up
+ip link add br0 type bridge
+ip link set tap0 master br0
+bridge link set dev tap0 learning off
+ip link set tap1 master br0
+ifconfig tap0 192.168.4.20 up
+ifconfig tap1 192.168.4.21 up
+ifconfig br0 up
+</code>
+<note warning>WARNING: TAP interfaces must be started after server reboot!</note>
+==== Configuring Traffic Diversion from FastDPI to FastRADIUS ====
+Enable the traffic diversion service on FastDPI:
+<code bash>
+fdpi_ctrl load profile --service 14 --profile.name radius  --profile.json '{ "typedev" : "tap","dev" : "tap0","udp" : [ 1813,1814,1815 ] }' --outformat=json
+fdpi_ctrl load --service 14 --profile.name radius --ip 10.16.252.11
+fdpi_ctrl load --service 14 --profile.name radius --ip 10.16.252.12
+</code>
+where:
+  * ''1813,1814,1815'' — ports on which RADIUS Accounting is transmitted
+  * ''10.16.252.11'', ''10.16.252.12'' — IP addresses of RADIUS servers sending RADIUS Accounting
+===== Additional Radius Monitor Settings =====
+  * ''rad_auth_port=1645'' — listening port number (or comma-separated list of ports) for RADIUS Authentication packets\\
+  * ''bind_multi=true'' — allow multiple IPs per USER-NAME (see command ''load --bind_multi'')
+<note important>If the order of bind/unbind in the RADIUS stream is not maintained or if there are packet losses (e.g., if it's a mirror), artifacts are likely.</note>
+==== Connecting NAT Based on CIDR ====
+Creating named [[en:dpi:opt_cgnat:сgnat_settings|NAT profiles]] on FastDPI:
+<code bash>
+fdpi_ctrl load profile --service 11 --profile.name nat_profile_all --profile.json '{ "nat_ip_pool" : "5.200.43.0/24,5.200.44/25", "nat_tcp_max_sessions" : 2000, "nat_udp_max_sessions" : 2000 }'
+</code>
+In the FastRADIUS configuration file ''/etc/dpi/fdpi_radius.nat'', specify IP ranges and their corresponding NAT profile names.
+Example:
+<code bash>
+.0.0.0/0	nat_profile_all
+.0.0.0/8	nat_profile_1
+.1.1.0/24	nat_profile_2
+</code>
+When a more specific (concrete) profile is specified for an address, it is selected.
+===== IPv6 Support =====
+Configuration parameters for binding addresses and subnets to subscribers are specified in the ''/etc/dpi/fdpi_radius.conf'' file:
+  * ''bind_ipv6_address''
+    * ''0'' — do not bind address to subscriber (default)
+    * ''1'' — bind\\ Binding is similar to the ''bind'' command in ''fdpi_ctrl''). The address is taken from the RADIUS attribute ''Framed-IPv6-Address(168)''
+  * ''bind_ipv6_subnet''
+    * ''0'' — do not bind (default)
+    * ''64'' — bind only for /64 subnets
+    * ''-1'' — bind for any subnets.\\ The subnet is taken from the RADIUS attribute ''Delegated-IPv6-Prefix(123)''
+Parameters ''bind_ipv6_address'' and ''bind_ipv6_subnet'' can be set simultaneously.\\ If a /128 mask is present in Framed-IPv6-Prefix, it is not checked against the restriction set by the ''bind_ipv6_subnet'' value.
+The subscriber is identified by the RADIUS attribute ''User-Name'' or ''Calling-Station-ID'' (depending on the ''login_replace'' setting)
+<note>The current implementation only supports IPv6 subnets of fixed length (default /64), so binding subnets of shorter length will cause an error.</note>
+===== Subscriber Identification in Mobile Networks =====
+  * ''login_replace=1'' — in this case, the RADIUS attribute ''Calling-Station-ID (IMSI)'' is used for subscriber identification instead of ''User-Name'', if present in RADIUS.
+  * ''ipfix_extra_gsm=1'' — enable support for sending [[en:dpi:dpi_components:radius:radmon_acct_ipfix|additional attributes]] from RADIUS Accounting via IPFIX.
+==== Appending Region Prefixes to Subscriber Names (LOGIN) ====
+Used when the RADIUS monitor and SCAT serve multiple regions, and ''user-name'' might overlap across regions; this allows separating them into different logins.\\
+  - Enable the setting ''rad_prefix_info=1''
+  - Add to the file ''/etc/dpi/prefixes.info'':<code>172.17.76.1 MSK-
+.17.76.2 MSK-
+.17.76.3 SPB-
+.17.76.4 SPB-
+.17.76.5 SPB-</code>where:\\
+    * first field - NAS-IP-Address from the RADIUS packet
+    * second field - prefix to be added to the Login\\

Differences

What were you trying to find?