BRAS L2 PPPoE Example

Description

FastDPI BNG/BRAS supports PPPoE connection since version 7.2. The subscriber connects to the Stingray Service Gateway (SSG) using the PPPoE connection type, is terminated by SSG and then gets to the border. The following elements are involved in the SSG operation scheme in BNG/BRAS PPPoE mod:

Client with PPPoE access type
FastDPI - traffic processing and policing
FastPCRF - proxying requests between fastDPI and Radius
Radius server - accepting requests from fastPCRF and generating responses with specified attributes
Router - is responsible for packets transmission to the Internet and the backward routing. At the moment the Static Route scenario and the scenario with OSPF and BGP routing configuration on SSG are possible.

FastDPI Setup

Editing the DPI Configuration File

First, you need to uncomment (add) the following lines to the /etc/dpi/fastdpi.conf configuration file.

    #enable internal database of user properties
udr=1
    #activates BRAS L2 mode
bras_enable=1
enable_auth=1

    #DPI "virtual" IP-address (must be unique for network)
bras_arp_ip=192.168.1.2
    #"virtual" MAC-address of DPI (you should use the real MAC-address of any of the DNA interfaces)
bras_arp_mac=a0:36:9f:77:26:58

    #border IP-address
bras_gateway_ip=192.168.1.1
    #MAC address of the border’s interface to which DPI is connected
bras_gateway_mac=c4:71:54:4b:e7:8a

    #server data where fastPCRF is installed (if the same server, do not change)
auth_servers=127.0.0.1%lo:29002

    #enable PPPoE
bras_pppoe_enable=1
    #set the maximum number of PPPoE sessions
    #recommended value is *1.5-2 times more than the number of PPPoE subscribers
bras_pppoe_session=10000

    #choice of authorization protocol
    #enable CHAP and MS-CHAPv2
bras_ppp_auth_list=2,3

    #vlan termination (this value means tag will be removed)
bras_vlan_terminate=1
    #local traffic interconnection
bras_terminate_local=1

    #enable accounting
enable_acct=1
    #subscriber billing statistics
netflow=4
    #timeout for sending statistics
netflow_timeout=60

You should set your own values for the following parameters

bras_arp_ip
bras_arp_mac
bras_gateway_ip
bras_gateway_mac

FastPCRF Setup

FastPCRF needs to be configured. Edit the file /etc/dpi/fastpcrf.conf to do this. Find the line with the RADIUS server parameters and change:

     #secret123 - Radius secret
     #192.168.1.10 - Radius server IP-address
     #eth0 - FastPCRF interface "communicating" with the Radius server
     #1812 - port to which FastPCRF sends authorization requests
     #acct_port - port to which FasPCRF sends Accounting
radius_server=secret123@192.168.1.10%eth0:1812;acct_port=1813

Radius Setup

The setting is given as an example on freeRADIUS 3 and may differ from the configuration of your Radius server.

VasExperts Dictionary

First you need to add a VSA dictionary:

copy the dictionary /usr/share/dpi/dictionary.vasexperts from the fastPCRF distribution to the $freeRadius/share/freeradius directory
Добавляем в главный словарь $freeRadius/share/freeradius/dictionary строку:

$INCLUDE dictionary.vasexperts

Creating Radius Client

Add the following lines to raddb/clients.conf of the Radius server

client fastdpi1 {
	ipaddr		= 192.168.1.5
	secret		= secret123
	require_message_authenticator = yes
#	add_cui = yes
	virtual_server	= fastdpi-vs
}

Creating a Virtual Server

To create the configuration of the virtual server, copy the file raddb/sites-available/default in raddb/sites-enabled/fastdpi-vs (it is included in the FreeRadius supply), and then edit fastdpi-vs:

set the name of the virtual server - change the line "server default" at the beginning of the file to "server fastdpi-vs"
in the listen section for auth requests (type = auth), write which IP-address and which port listens to incoming requests (note that this is the local address of the Radius server):

ipaddr = 192.168.1.10
port = 1812
interface = eth0

Creating a User Account

Add subscriber data to the /etc/raddb/users file:

testuser        Cleartext-Password := "VasExperts.FastDPI"
        Framed-IP-Address = 192.168.2.199,
        VasExperts-DHCP-DNS = 8.8.8.8,
        VasExperts-Enable-Service = "9:on",
	VasExperts-Policing-Profile = "100Mbps"
	VasExperts-Service-Profile = "11:user_nat"

Also add two entries for FastPCRF in the file /etc/raddb/users:

VasExperts.FastDPI.unknownUser Cleartext-Password := "VasExperts.FastDPI"
DEFAULT	Cleartext-Password := "VasExperts.FastDPI"

Router Setup

On the router, add a static route to the subnet served by the DPI.

/ip route add dst-address=192.168.2.0/24 gateway=192.168.1.2

Test Subscriber Connection

When an unknown subscriber is being connected, FastPCRF sends an Access-Request with the following content:

User-Name = testuser
MS-CHAP-Challenge = 0xE193CBF29405D063646513166D33F57B
MS-CHAP2-Response = 0x010041D33AE9751D811DBD4623CF8D9E0514000000000000000051760F288DC221D0DCE20CD196968607B56B72E72A852C25
Calling-Station-Id = 18:0f:76:01:05:19
Acct-Session-Id = C4C48F8E00000015
Service-Type = Framed
Framed-Protocol = 1
NAS-Identifier = VasExperts.FastDPI
VasExperts-Service-Type = 4
Message-Authenticator = 0x26FE6195DAAC29492B03A3F0B07D638D

Access-Accept example on successful authorization:

Framed-IP-Address = 192.168.2.199
VasExperts-DHCP-DNS = 8.8.8.8
VasExperts-Enable-Service = 9:on
VasExperts-Service-Profile = 11:user_nat
MS-CHAP2-Success = 0x01533D34313746393641463434423233313445443043324433434439353437354336443738304532363832
MS-MPPE-Recv-Key = 0x820F64564914155A4C24C039874650715FF81E2B5AA461668DA05CF6FF1926077290
MS-MPPE-Send-Key = 0x8BA29098E69F39844E2FD74C5BD3FB0E7FD998348401E56379655D1E7DEA6310505E
MS-MPPE-Encryption-Policy = 0x00000001
MS-MPPE-Encryption-Type = 0x00000006
VasExperts-User-Name = testuser

Troubleshooting

When implementing L2 BRAS/BNG, various errors may occur, so that subscribers cannot be authorized and get access to the Internet. Below are the most common problems:

No authorization requests.

Check if fastpcrf process is running. Check if the server Radius address is specified correctly.

I can ping DPI, but the ping does not reach the border.

It is necessary to specify a static route to subscribers on the border. It is necessary to specify where the border has to route the traffic, since DPI is not yet able to announce the subscriber subnets it serves.
In the case of using NAT, a similar route is required for the subscriber’s subnets used in NAT.
Check if bras_gateway_ip and bras_gateway_mac parameters are set correctly.

Statistics are not sent for Accounting.

Check if the port for receiving statistics is allowed in the Firewall (1813 by default) on the Radius server.
Check if the service 9 is activated for the subscriber.
Check if accounting is enabled in DPI configuration settings.
Check if the correct value is specified for the Netflow parameter.

CoA does not reach BRAS/BNG.

Check if the port for receiving CoA is allowed in the Firewall (3799 by default) on the server with FastPCRF.