Differences

This shows you the differences between two versions of the page.

--- en:dpi:dpi_options:brass:opt_bras:reference_bras:modes_dhcp:dhcp_radius_proxy [2020/02/05 17:38] – ↷ Page moved from en:dpi:dpi_options:base_functionality:brass:opt_bras:reference_bras:modes_dhcp:dhcp_radius_proxy to en:dpi:dpi_options:brass:opt_bras:reference_bras:modes_dhcp:dhcp_radius_proxy lexx26
+++ en:dpi:dpi_options:brass:opt_bras:reference_bras:modes_dhcp:dhcp_radius_proxy [2020/03/18 14:54] (current) – removed lexx26
@@ Line 1: / Line 1: @@
-====== 1 DHCP Radius Proxy ======
-{{indexmenu_n>1}}
-==== General description of DHCP Radius Proxy mode ====
-The DHCP mode Radius Proxy is designed to implement a BRAS service without using of dedicated DHCP servers. The RADIUS server is used instead of DHCP servers and the FastDPI together with the FastPCRF operate as a DHCP server.
-==== DHCP Radius Proxy mode advantages ====
-  * Easier management of Subscriber services, since all the relevant information about them is stored in the RADIUS server database, which is the only information source about Subscribers.
-  * Fewer components involved in the Subscriber authorization procedure, and consequently, better reliability. There is no need for dedicated DHCP servers.
-  * More simple diagnostics.
-==== DHCP Radius Proxy mode peculiarities ====
-There is no need for an individual client authorization request from the FastDPI side because the response to the the Access-Request request contains both DHCP parameters and FastDPI user profiles as well as a set of FastDPI services enabled for the user. This behavior can be changed through the [[en:dpi:dpi_options:base_functionality:brass:opt_bras:reference_bras:modes_dhcp:param_dhcp|bras_dhcp_auth_mix]] configuration parameter. The authorization request in the "DHCP Radius proxy" mode can be distinguished by the [[en:dpi:dpi_options:base_functionality:brass:opt_bras:reference_bras:interact_fastpcrf_radius:call_param_fastpcrf_radius|VasExperts-Service-Type]] attribute value.
-[[en:dpi:dpi_options:base_functionality:brass:opt_bras:reference_bras:interact_fastpcrf_radius:interact_fastpcrf_coa|CoA notifications]] are supported in the DHCP Radius Proxy mode. It should be noted that the CoA-notification have nothing to do with changing of the DHCP parameters, it just indicates that the user authorization parameters have been changed, while the DHCP session remains the same.
-The same applies to the Disconnect-Request notification: this notification only indicates that the user has become unauthorized (for example, because he ran out of money), whereas its IP address and other DHCP attributes remain unchanged. Disconnect-Request request does not result in reestablishing of the DHCP session.
-====  Algorithm of interaction ====
-  - FastDPI accepts DHCP requests from the user device and forwards to the FastPCRF;
-  - FastPCRF converts a DHCP request to a Radius Access-Request request and sends it to the RADIUS server;
-  - Once the Access-Accept/Access-Reject response reception event occured, the FastPCRF converts it into an internal format and sends it to the FastDPI. The RADIUS response should contain both the attributes required for DHCP and the user profiles required by the FastDPI;
-  - FastDPI generates a DHCP response and sends it to the user, and also remembers user profiles and a set of services enabled for the user.
-Once the FastDPI got a DHCP Discover request from the user device, it sends it "as is" to the FastPCRF for processing. If the IP address is successfully assigned to the user the FastPCRF, will respond with the DHCP Offer, simultaneously notifying the RASIUS server that Accounting Start session is started. FastDPI saves the parameters of all DHCP-Offer in its internal UDR database. During the [[en:dpi:dpi_options:base_functionality:brass:opt_bras:reference_bras:modes_dhcp:param_dhcp|bras_dhcp_request_delay]] period all subsequent DHCP-Requests from the user device to confirm or extend the IP address leasing are processed by the FastDPI, which returns the extracted from the DHCP-Offer and saved parameters to the DHCP-Ack.
-The timeout (in seconds) of the response from the FastPCRF to DHCP Discover is specified by the [[en:dpi:dpi_options:base_functionality:brass:opt_bras:reference_bras:modes_dhcp:param_dhcp|bras_dhcp_timeout]] configurtion parameter in the fastdpi.conf file, its default value is 7 seconds.
-Having received the DHCP-Release/DHCP-Decline the FastDPI saves to the UDR that the leasing of this IP address has expired and sends a notification via FastPCRF to the RADIUS server that the session has terminated using the Accounting Stop. Once the session is terminated, all the packets coming from the subscriber IP address will be dropped.
-FastDPI also monitors the session duration specified in the DHCP-Offer. If the session is expired, and the Subscriber has not extended the leasing by sending a DHCP-Request, the session is considered to be out-to-date resulting in all the packets from the user IP address will be dropped.
-<note>The main load on the RADIUS server is caused by DHCP-Discover requests sent via FastPCRF.</note>
-==== Limiting the Subscriber DHCP session duration ====
-The Subscriber DHCP session duration an be nearly unlimited if the user device regularly sends DHCP-Request requests to extend its IP address leasing. This may be a problem for the ISP; to deal with this problem the FastDPI has a [[en:dpi:dpi_options:base_functionality:brass:opt_bras:reference_bras:param_bras|bras_max_session_duration]] configuration parameter specifying the maximum duration of the Subscriber session in seconds. The default value of this parameter is 604800 seconds (1 week). Once the maximum duration of the FastDPI session is exceeded, the FastDPI will response by DHCP-Nak reject in response to DHCP-Request for renewing leasing, thereby forcing the Subscriber device to start a new session by sending DHCP-Discover.
-==== Enabling of DHCP Radius Proxy ====
-[[en:dpi:dpi_options:base_functionality:brass:opt_bras:reference_bras:modes_dhcp:dhcp_radius_proxy|DHCP Radius Proxy]] mode is enabled by setting ''bras_dhcp_mode=2'' in the fastdpi.conf configuration file:
-<code>
-bras_dhcp_mode=2
-</code>
-You also should specify the FastDPI virtual IP address, it will be shown as the DHCP server address in the DHCP packets, and the virtual MAC address, for example:
-''bras_arp_ip'' specifies BRAS IP address. This IP address must be unique, it must not be associated with any user. For example:
-<code>
-bras_arp_ip=192.168.1.255
-bras_arp_mac=a0:00:b1:01:4e:cc</code>
-==== Interaction of FastPCRF with RADIUS in DHCP Radius Proxy mode ====
-The Access-Request Radius Request has the following attributes:
-  * User-Name is the MAC address of the DHCP request in the XX:XX:XX:XX:XX:XX format. QinQ tags can be used as User-Name in Q-in-Q networks, see below.
-  * User-Password is the value of the ''dhcp_user_psw'' fastpcrf.conf parameter. This parameter specifies the password specifically for the DHCP Radius proxy mode. If the parameter is not specified, the ''user_password'' RADIUS server parameter is used.
-  * NAS-IP-Address - if DHCP request contains the  Relay agent IP address, then this address is substituted into this attribute. If there is no Relay agent, then the attribute contains the VAS Experts DPI virtual IP address from the ''bras_arp_ip'' parameter specified in the fastdpi.conf. Using the attribute value, you can determine subnet the RADIUS request came from (the Relay agent which sent this request)
-  * NAS-Port-Type contains the value of the ''radius_attr_nas_port_type'' fastpcrf.conf parameter for this RADIUS server.
-  * NAS-Port is used only for VLANs (with one VLAN): VLAN number
-  * NAS-Port-Id is used only for QinQ networks (with dual VLANs): it contains VLANs using string '/'-delimeted format, for example: "123/67"
-  * Framed-IP-Address - this attribute contains the subscriber IP address and is present only if the subscriber IP address is known.
-VSA (Vendor-Specific Attributes) for VendorId=43823 (VASExperts):
-  * [6]  VasExperts-Service-Type contains the value 1. Having analysed the attribute value you can identify which Access-Request was received:\\ 0 - [[en:dpi:dpi_options:opt_bras:bras_steps:radius_auth_server_integration:start|authorization request]];\\ 1 - DHCP
-  * [37] VasExperts-DHCP-Request is DHCP request type:\\ 0 - DHCP-Discover;\\ 1 - DHCP-Inform;\\ 2 - DHCP-Request
-  * [38] VasExperts-DHCP-RelayRemoteId is the value of Relay Remote Id suboption of option 82 (Relay Agent Info) in DHCP request (binary)
-  * [39] VasExperts-DHCP-RelayCircuitId is the value of Relay Circuit Id suboption of option 82 (Relay Agent Info) in DHCP request (binary)
-  * [36] VasExperts-DHCP-Client-IP is the desired user IP address. It is extracted from option 50 DHCP-Discover (Requested Client IP address) and can only be used as a hint during processing. The same IP address as in the Framed-IP-Address attribute is used in the DHCP-Inform
-  * [32] VasExperts-DHCP-Hostname is the option 12 (hostname) value of the DHCP request (binary)
-  * [33] VasExperts-DHCP-ClientId is the option 61 (client id) value of the DHCP request (binary)
-  * [34] VasExperts-DHCP-ClassId is the option 60 (vendor class id) value of the DHCP request (binary)
-  * [35] VasExperts-DHCP-RelayInfo is the option 82 (relay agent info) value of the DHCP request (binary)
-Attributes corresponding to the values of the DHCP options are added to the Access-Request only if the corresponding option is present in the DHCP request.
-Response to the RADIUS Access-Request request in the DHCP RADIUS proxy mode should contain both the details of assigning IP address to the subscriber and the subscriber authorization parameters in the fastDPI: policing profiles and enabled VAS Experts DPI services (see the compatibility peculiarities of [[en:dpi:dpi_options:opt_bras_l2:bras_l2_vlan:bras_l2_vlan_dhcp:bras_l2_vlan_dhcp_proxy:bras_l2_vlan_dhcp_proxy_l3auth|DHCP Proxy and L3-authorization]] modes). It should be taken into account that even when the subscriber is blocked (for example, due to lack of funds on corresponding account), he should be assigned a valid IP address. Indeed, we should get answers to the following questions:
-  * for DHCP: user IP address and network settings;
-  * authorization: whether the user is authorized, what is his policing profile and what services he has been enabled to.
-From the DHCP point of view, if any of Access-Accept or Access-Reject requests contains the ''Framed-IP-Address'' attribute, then this response treated as IP address was successfully assigned to the user. In addition to the IP address, the following DHCP options are supported:
-  * Subnet mask (opt1) is extracted from the Framed-IP-Netmask [9] Framed-Route
-  * MTU size (opt26) is extracted from the Framed-MTU [12] RADIUS attribute.
-  * IP address leasing duration (opt51) is extracted from the Session-Timeout [27] RADIUS attribute.
-  * Default gateway IP address (opt3) is extracted from the VasExperts-DHCP-Gateway (vendor-id = 43823, attr-id=42) VSA attribute.
-  * Static routing table (opt121) is extracted from the Framed-Route [22] RADIUS attribute. RADIUS response can contain up to 16 Framed-Route attributes, the attribute format is:\\ 'CIDR-netmask gateway-IP <other data>', for example, '5.128.0.0/16 192.168.10.1', here the 192.168.10.1 is the gateway for the 5.128.0.0/16 network ('other data' is ignored)
-  * DNS servers (opt6) is extracted from the VasExperts-DHCP-DNS (vendor-id = 43823, attr-id=41) VSA attributes. There are allowed to specify several (up to 16) attributes of VasExperts-DHCP-DNS.
-Other DHCP options can be specified via the [[en:dpi:dpi_options:base_functionality:brass:opt_bras:reference_bras:attribute_dhcp:start|special VSA attributes]].
-[[en:dpi:dpi_options:base_functionality:brass:opt_bras:reference_bras:modes_dhcp:param_dhcp|General parameters]] applicable to all users DHCP settings can be specified in the fastpcrf.conf configuration file.
-The principle of converting RADIUS attributes in the DHCP response option is simple: if the RADIUS response does not contain corresponding attribute, then its value is taken from the fastpcrf.conf, if the corresponding parameter is not specified in the fastpcrf.conf, then the DHCP option will not be added to the response.
-If the RADIUS response contains the Framed-IP-Address attribute, that is, the user is assigned an IP address, then the type of the response is analysed: whether it Access-Accept access permission or Access-Reject reject, then the attributes specifying the subscriber policing profile and the list of enabled services are extracted from the response, see the [[en:dpi:dpi_options:base_functionality:brass:opt_bras:bras_description:start|BRAS-L3 authorization]] section.
-If the RADIUS response does not contain the Framed-IP-Address attribute, then it is considered that the IP address leasing is impossible for the user. No response is sent to the user device, which amounts to rejection in assigning an IP address to the user (from the DHCP point of view). Authorization parameters are completely ignored in this case.
-More information about the interaction of FastPCRF with RADIUS can be found in the relevant articles: [[en:dpi:dpi_options:base_functionality:brass:opt_bras:reference_bras:interact_fastpcrf_radius:call_param_fastpcrf_radius|Parameters of FastPCRF requests being sent to the RADIUS Servers]] and [[en:dpi:dpi_options:base_functionality:brass:opt_bras:reference_bras:interact_fastpcrf_radius:return_param_fastpcrf_radius|Parameters of responses from the RADIUS servers to the FastPCRF]].

Profile

Settings

Differences