BRAS L2 DHCP Relay Agent Example

BNG/BRAS DHCP L2 means that Stingray Service Gateway (SSG) acts as a DHCP Relay. The subscriber is authorized by the allocated IP-address after successful session initiation. Then the IP-address is terminated with a DPI and goes to the border.

The following elements are involved in the SSG operation scheme in BRAS L2 DHCP Radius Proxy mode:

1. Client with Q-in-Q access type
2. FastDPI - Traffic Handling and Policy Enforcement
3. FastPCRF - proxying requests between fastDPI and Radius
4. Radius server - accepting requests from fastPCRF and generating responses with specified attributes
5. Router - is responsible for packets transmission to the Internet and the backward routing. At the moment the Static Route scenario and the scenario with OSPF and BGP routing configuration on SSG are possible.

First, you need to uncomment (add) the following lines to the /etc/dpi/fastdpi.conf configuration file.

    #enable internal database of user properties
udr=1
    #enable IP authorization mode
enable_auth=1
    #activates L2 BRAS mode
bras_enable=1

    #DPI "virtual" IP address (must be unique for the network)
bras_arp_ip=192.168.1.2
    #"virtual" DPI MAC address (you should use the real MAC address of any of the DNA interfaces)
bras_arp_mac=a0:36:9f:77:26:58

    #border IP-address
bras_gateway_ip=192.168.1.1
    #MAC address of the border’s interface to which DPI is connected
bras_gateway_mac=c4:71:54:4b:e7:8a

    #server data where fastPCRF is installed (if the same server, do not change)
auth_servers=127.0.0.1%lo:29002

	#enable DHCP Relay Agent mode
bras_dhcp_mode=1

	#192.168.10.2 – DHCP server IP-address
	#veth0 – the name of the network interface connected to the DHCP-server
	#67 – port, default value: 68
	#arp_proxy - response lag to ARP requests of the DHCP server IP-address
	#alias_ip - DHCP server alias
	#reply_port - the port that expects responses from the DHCP-server. 
bras_dhcp_server=192.168.10.2%veth0:67;arp_proxy=1;alias_ip=192.168.1.4;reply_port=67

    #vlan termination (this value means tag will be removed)
bras_vlan_terminate=1
    #MAC-addresses replacement
bras_terminate_l2=1
    #local traffic interconnection
bras_terminate_local=1

    #enable accounting
enable_acct=1
    #subscriber billing statistics
netflow=4
    #timeout for sending statistics
netflow_timeout=60

If the session is started successfully and the L3 authorization mode is enabled (enable_auth=1), fastDPI BRAS immediately sends a Radius-request for subscriber authorization to get an up-to-date list of connected services and the subscriber's policy.

FastPCRF needs to be configured. Edit the file /etc/dpi/fastpcrf.conf to do this. Find the line with the RADIUS server parameters and change:

     #secret123 - Radius secret
     #192.168.1.10 - Radius server IP-address
     #eth0 - interface, **from which** FastPCRF "communicates" with the Radius server
     #1812 - port to which FastPCRF sends authorization requests
     #acct_port - port to which FasPCRF sends Accounting
radius_server=secret123@192.168.1.10%eth0:1812;acct_port=1813

The setting is given as an example on freeRADIUS 3 and may differ from the configuration of your Radius server.

First you need to add a VSA dictionary:

• copy the dictionary /usr/share/dpi/dictionary.vasexperts from the fastpcrf distribution to the $freeRadius/share/freeradius directory
• add the following line to the main dictionary $freeRadius/share/freeradius/dictionary:

$INCLUDE dictionary.vasexperts

Add the following lines to raddb/clients.conf of the Radius-server

client fastdpi1 {
	ipaddr		= 192.168.1.5
	secret		= secret123
	require_message_authenticator = yes
#	add_cui = yes
	virtual_server	= fastdpi-vs
}

To create the configuration of the virtual server, copy the file raddb/sites-available/default in raddb /sites-enabled/fastdpi-vs (it is included in the FreeRadius supply), and then edit fastdpi-vs:

• set the name of the virtual server - change the line "server default" at the beginning of the file to "server fastdpi-vs"
• in the listen section for auth requests (type = auth), write which IP-address and which port listens to incoming requests (note that this is the local address of the Radius server):

ipaddr = 192.168.1.10
port = 1812
interface = eth0

Add subscriber data to the file/etc/raddb/users (it should be noted that FastPCRF uses the source MAC address as the login and VasExperts.FastDPI as the password by default in this mode)

192.168.2.10      User-Password := "VasExperts.FastDPI"
    VasExperts-Policing-Profile = "10Mbps",

Also add two lines for fastPCRF in the file/etc/raddb/users:

VasExperts.FastDPI.unknownUser Cleartext-Password := "VasExperts.FastDPI"
DEFAULT	Cleartext-Password := "VasExperts.FastDPI"

When an unknown subscriber is being connected, FastPCRF sends an Access-Request with the following content:

User-Name = 192.168.2.10
User-Password = 0x372CC83FF66B8C8589C3BF18472DAEF6B0BB0723EC9DAEE188A08AA1EE6A050C
Framed-IP-Address = 192.168.2.10
Acct-Session-Id = 0A02A8C00000000F
Calling-Station-Id = 18:0f:76:01:05:19
NAS-Identifier = VasExperts.FastDPI
Service-Type = [2] Framed
VasExperts-Service-Type = 0
Message-Authenticator = 0x46A546AE34DCB0AEB9C24A9DFF1F0A02

Access-Accept example on successful authorization:

VasExperts-Policing-Profile = 10Mbps
VasExperts-User-Name = 192.168.2.10

When implementing L2 BRAS/BNG, various errors may occur, so that subscribers cannot be authorized and get access to the Internet. Below are the most common problems:

Check if fastPCRF process is running. Check if the server Radius address is specified correctly.

1. It is necessary to specify a static route to subscribers on the border. It is necessary to specify where the border has to route the traffic, since DPI is not yet able to announce the subscriber subnets it serves.
2. In the case of using NAT, a similar route is required for the subscriber’s subnets used in NAT.
3. Check if bras_gateway_ip and bras_gateway_mac parameters are set correctly.

1. Check if the port for receiving statistics is allowed in the Firewall (1813 by default) on the Radius server.
2. Check if the service 9 is activated for the subscriber.
3. Check if accounting is enabled in DPI configuration settings.
4. Check if the correct value is specified for the Netflow parameter.

Check if the port for receiving CoA is allowed in the Firewall (3799 by default) on the server with FastPCRF.