Differences

This shows you the differences between two versions of the page.

--- en:dpi:dpi_options:brass:opt_bras:reference_bras:interact_fastpcrf_radius:example_sett_radius [2020/02/05 17:38] – ↷ Links adapted because of a move operation lexx26
+++ en:dpi:dpi_options:brass:opt_bras:reference_bras:interact_fastpcrf_radius:example_sett_radius [2020/03/18 14:56] (current) – removed lexx26
@@ Line 1: / Line 1: @@
-====== 4 FreeRadius3 setup example ======
-{{indexmenu_n>4}}
-This section describes the minimum configuration editing you shoud make to provide FreeRadius 3 interaction with the FastPCRF.
-<note warning>These editings should be considered only as one of the FreeRadius configuration examples. Here we do not deal with FreeRadius integration with a billing system or database.</note>
-Suppose the Radius server IP address is 192.168.1.200 and its port is 1812.
-=== VasExperts dictionary ===
-First you should add the vendor-specific {{ :service:brass:opt_bras:reference_bras:interact_fastpcrf_radius:dictionary.rar |dictionary.vasexperts}} attribute dictionary to the RADIUS server dictionary. For this purpose:
-  * Copy /usr/share/dpi/dictionary.vasexperts dictionary from the fastpcrf distro to the $freeRadius/share/freeradius directory
-  * Add to the $freeRadius/share/freeradius/dictionary main dictionary the following line:
-<code>$INCLUDE dictionary.vasexperts</code>
-=== Client creation ===
-Parameters of connection with the RADIUS server should be specified in the fastpcrf.conf configuration file  of our instance, which is a RADIUS client:
-<code>radius_server=secret123@192.168.1.200%eth0:1812;msg_auth_attr=1</code>
-Here eth0 is the local device name (network card name) used to establish the connection with the 192.168.1.200 server.
-For each FastPCRF instance, the first step is to create a client in the FreeRadius. Let's name the client as fastdpi1. All clients (FastPCRF instances) will refer to the same fastdpi-vs virtual server.
-Add the following lines to the Radius server raddb/clients.conf:
-<code>
-client fastdpi1 {
-ipaddr = 192.168.1.32
-secret = secret123
-require_message_authenticator = yes
-# add_cui = yes
-virtual_server = fastdpi-vs
-}
-</code>
-Here:
-  * ''ipaddr'' specifies the FastPCRF instance IP address, in our example it is 192.168.1.32
-  * ''secret'' is a unique secret known both to the Radius server and a client (i.e., FastPCRF instance). The value is arbitrary and must match the corresponding setting in the fastpcrf.conf:<code>radius_server=secret123@192.168.1.200%eth0:1812</code>
-  * ''require_message_authenticator'' is an indicator specifying whether the ''Message-Authenticator'' attribute is mandatory within the RADIUS request. [[https://tools.ietf.org/html/rfc2869|RFC 2869]] strongly recommends to use this attribute. This setting should be consistent with the ''msg_auth_attr'' parameter in fastpcrf.conf: radius_server=…;msg_auth_attr=1
-  * ''add_cui'' should be deactivated. The RADIUS server sends for security reasons the CUI (Chargeable-User-Identity) attribute as an encrypted user login hash value, which is unacceptable for FastDPI due to it expects a real user login. Therefore, the ''add_cui'' parameter is commented out.
-  * ''virtual_server'' specifies the name of the virtual server that we will configure below.
-=== Creation of the virtual server ===
-To create a virtual server configuration, you should copy the raddb/sites-available/default file included in the FreeRadius distribution, to the raddb/sites-enabled/fastdpi-vs one and then edit fastdpi-vs:
-  * set the virtual server name by changing the **server default** line  at the beginning of the file to **server fastdpi-vs**
-  * in the listen section for auth requests (type = auth), you should specify both the IP address and the port used to listen to incoming requests (note that this is the local address of the RADIUS server):
-<code>
-ipaddr = 192.168.1.200
-port = 1814
-interface = eth0
-</code>
-  * delete the remaining listen sections (or comment out since we don't need them anymore)
-  * all the substantive work on generating an Access-Request response is specified within the post-auth section. It is impossible to give any recommendations here since it all depends on the specific provider, on the environment of the RADIUS server, since it is unknown where the data come from.For more detailed information on the list of required attributes see [[en:dpi:dpi_options:brass:opt_bras:reference_bras:interact_fastpcrf_radius:return_param_fastpcrf_radius|Parameters of responses being sent from Radius servers to FastPCRF]]. As an example, the static filling of the Access-Accept response attribute is given (don't forget, that if there is ''Chargeable-User-Identity'' attribute containing a single zero byte within the Access-Request request, it means that fastpcrf does not know the user login and requests it from the RADIUS server; in this example, the CUI is formed from the Framed-IP-Address for illustration purpose only):
-<code>
-post-auth {
-…
-#
-# Add VasExperts attributes
-#
-if ( Chargeable-User-Identity == 0x00 ) {
-update reply {
-Chargeable-User-Identity := "u-%{Framed-IP-Address}"
-}
-}
-else {
-update reply {
-Chargeable-User-Identity := "%{Chargeable-User-Identity}"
-}
-}
-update reply {
-Framed-IP-Address := "%{Framed-IP-Address}"
-VasExperts-Policing-Profile := "test1"
-VasExperts-Service-Profile += "1:test1"
-Session-Timeout := 300
-}
-…
-}
-</code>
-  * The cui parameter of the post-auth section is commented out! FreeRadius sends the hash value of the login within the CUI instead of the user login , which we do not need, so we will form the CUI attribute in the response independently, see the example above.
-  * To the Post-Auth-Type REJECT section (formation of the Access-Reject) below you should add:
-        * ''CUI'' attribute, if the FastPCRF requests it and the user is known;
-        * The ''VasExperts-Policing-Profile'' attribute specifying the policing profile for unauthorized users (in the example below, the profile name is ''plc_unauth'', you will have a different one);
-        * The ''VasExperts-Service-Profile'' attribute specifying the profile of service 5 ("White List"). It is usually a profile allowing unauthorized users to access only the Captive Portal. In the example below, the profile name is ''cp_unauth'', it will differ in your case.
-Example:
-<code>
-if (Chargeable-User-Identity == "\0" ) {
-update reply {
-Chargeable-User-Identity := "login"
-}
-}
-update reply {
-VasExperts-Policing-Profile := "plc_unauth"
-VasExperts-Service-Profile += "5:cp_unauth"
-}
-</code>
-=== Editing of users ===
-To do so you should add two entries for FastPCRF to the raddb/users file:
-<code>
-VasExperts.FastDPI.unknownUser Cleartext-Password := "VasExperts.FastDPI"
-DEFAULT Cleartext-Password := "VasExperts.FastDPI"
-</code>
-The first entry specifies the user name which FastPCRF sends if the user login is unknown, for detailed info, see the description of the ''radius_unknown_user'' configuration parameter. This name is specified in the FastPCRF, as well as the password, see the description of the [[en:dpi:dpi_options:brass:opt_bras:reference_bras:params_fastpcrf:setup_radius_fastpcrf|radius_unknown_user_psw]] configuration parameter. The second entry sets the password which FastPCRF uses to send requests for known logins. This password is configured in the FastPCRF, see the description of the [[en:dpi:dpi_options:brass:opt_bras:reference_bras:params_fastpcrf:setup_radius_fastpcrf|radius_user_password]] configuration parameter.