Access-Request format for the PPPoE networks [Документация VAS Experts]

Access-Request format for the PPPoE networks

Access-Request request being formed by the fastpcrf contains the following Radius attributes:

  • User-Name - for the PAP/CHAP/MS-CHAPv2: subscriber login. In order to authorize by MAC address this attribute contains the subscriber MAC address as a string, similar to the Calling-Station-Id attribute.
  • Password - subscriber password (only for the PAP authorization)
  • CHAP-Challenge and CHAPPassword- for the CHAP authorization
  • MS_CHAP_Challenge and MS_CHAP2_Response (Microsoft VSA) - for the MS-CHAPv2 authorization
  • Calling-Station-Id - subscriber MAC address as a string, for example, '01:02:e4:55:da:f5'. Here, the small letters for hex-digits A-F are used.
  • Acct-Session-Id - accounting sesson identifier. This attribute is always passed even if you do not use the VAS Experts DPI accounting.
  • Service-Type = 2 (Framed)
  • Framed-Protocol = 1 (PPP)

[SSG 7.6+] If Access-Request is initiated by the CoA request of reauthorization, then the Framed-IP-Address attribute containing the subscriber IP address is added.

Attributes identifying the NAS (i.e., VAS Experts DPI):

NAS-IP-Address - NAS IP address is specified in the fastpcrf.conf by the radius_attr_nas_ip_address configuration option. If this option is not specified in the fastpcrf.conf, the NAS-IP-Address attribute will not be added to the Access-Request.

NAS-Identifier - NAS identifier is specified in the fastpcrf.conf by the radius_attr_nas_id configuration option. If this option is not specified in the fastpcrf.conf, the NAS-IP-Address attribute will not be added to the Access-Request.

Note that only one of the attributes - NAS-IP-Address or NAS-Identifier is added to the Access-Request depending on the fastpcrf.conf settings. If both radius_attr_nas_ip_address and radius_attr_nas_id options are specified in the fastpcrf.conf, the only NAS-IP-Address is included in the Access-Request. The radius_add_all_nas_ids parameter allows you to add both of these attributes to the request:

# Allows to add NAS-IP-Address AND NAS-Identifier 
	# By RFC, the request can include either NAS-IP-Address or NAS-Identifier.
	# If both options are specified then priority is given to NAS-IP-Address option.
	# The value of this parameter 1 allows you to add both attributes to the request.
#radius_add_all_nas_ids=0

VASExperts-Service-Type - Vendor-Specific attribute containing the number (int32) defining the PPPoE authorization type:

  • VASExperts-Service-Type = 2 - for the PAP
  • VASExperts-Service-Type = 3 - for the CHAP
  • VASExperts-Service-Type = 4 - for the MS-CHAPv2
  • VASExperts-Service-Type = 5 - for the MAC address authorization

Message-Authenticator - [RFC2869] is formed if the radius_msg_auth_attr = 1 options is specified in the fastpcrf.conf

If the incoming subscriber packet contains VLANs (that is, if you have a PPPoE network with L2 VLAN tags):

  • NAS-Port-Type - is specified in the fastpcrf.conf by the radius_attr_nas_port_type configuration option, its default value is 5 (Virtual)
  • NAS-Port - VLAN value

If the incoming subscriber package contains Q-in-Q (that is, if you have a PPPoE network with L2-QinQ tags):

  • NAS-Port-Type - is specified in the fastpcrf.conf by the radius_attr_nas_port_type configuration option, its default value is 5 (Virtual)
  • NAS-Port-Id - VLAN value as a string using like "outerVLAN/innerVLAN" format, for example, "10/102"

Supports PPPoE circuit-id and remote-id options

SSG as of version 8.2 supports the PPPoE options circit-id and remote-id according to RFC 4679. The values of these options are passed to Access-Request in the VSA attributes Agent-Circuit-Id and Agent-Remote-Id respectively, vendor-id=3561.

Support Huawei vendor-specific tag 1

SSG 12.4 - added support for Huawei vendor-specific tag 1.

The value is interpreted as ADSL-Forum-Circuit-Id.

If PPPoE packet contains Circuit-Id and Huawei tag 1, Circuit-Id is preferred, Huawei tag 1 is ignored.