IPv4 Pools Support [Документация VAS Experts]

IPv4 Pools Support

The name of IP-addresses pool is set by the Framed-Pool attribute in Access-Accept.

Framed-IP-Address attribute has a higher priority than Framed-Pool: if both are present in the response, PCRF ignores Framed-Pool

Upon detecting the Framed-Poolattribute in the Radius response, the PCRF should:

  • contact the DHCP server for the subscriber's address by passing the pool name to the DHCP server in one of the DHCP options;
  • after receiving a response from the DHCP server, generate a general authorization response by combining the DHCP response options and the Access-Accept attribute.

FastPCRF Configuration

At least one DHCP server serving the pools must be specified in fastpcrf.conf. The server address is set in the dhcp_server parameter of the following form:

    # <address> - IP-address of the DHCP-server
    # <dev> - which local interface is to communicate with the DHCP-server
dhcp_server=<address>%<dev>

Each DHCP-server is set in fastpcrf.conf with a separate parameter. For example, two servers can be specified like this:

    # Primary server - on the interface eth1
dhcp_server=192.168.10.10%eth1
    # Stand-by server - on the interface em2
dhcp_server=10.45.78.03%em2

Setting up to 16 DHCP servers is supported. This parameter has no default value - for Framed-Pool support it is necessary to specify at least one DHCP-server in fastpcrf.conf.

In addition to DHCP servers, you should also specify in which DHCP request option to send the pool name. It is done with dhcp_poolname_opt parameter. The following DHCP-options are supported:

  1. dhcp_poolname_opt=1 - opt77 User-Class RFC 3004. If the option already exists, its value is replaced with the pool name
  2. dhcp_poolname_opt=2 - opt125 Vendor-Opts (vendorId=43823, subopt=1) RFC 3925. The option is always added
  3. dhcp_poolname_opt=3 - opt60 Class-Id RFC 2132. If the option already exists, its value is replaced with the pool name.

If dhcp_poolname_opt=0 (default) - the pool name will be added to opt125.

In SSG 10.2+, the algorithm for adding opt125 has been changed: if such an option already exists in a DHCP request, SSG adds the data for the VAS Experts vendor to the existing opt125. This change is due to the fact that not all DHCP server implementations understand multiple assignments of the same option.

In SSG 12.4+ opt125 is added with the pool name as the first option. Reason: KEA parses only the first vendor when defining the client class (opt125).

FastPCRF addresses DHCP servers as a Relay (with the IP address of the local server-communication interface), so that DHCP-traffic is unicast. All DHCP-requests are sent to all servers specified in dhcp_server parameters. If multiple DHCP servers are configured, takes into account the first timed response, replies from other DHCP servers are ignored.

ISC DHCP-server Configuration Example

The DHCP server is configured differently depending on which DHCP option the pool name will come in (dhcp_poolname_opt parameter). Below are the extracts from the configuration files /etc/dhcp/dhcpd.conf ISC DHCP, which relate to configuring the pool.

  1. example for option 125 (dhcp_poolname_opt=2)
  2. example for option 77 User-Class (dhcp_poolname_opt=2)
  3. example for option 60 Class-Id (dhcp_poolname_opt=3)

Forming a DHCP request in the DHCP Radius Proxy mode

In the DHCP Radius Proxy mode, the original DHCP request of the subscriber is transmitted to the DHCP server with the addition of the pool name in accordance with the dhcp_poolname_opt parameter.

Be careful when specifying the pool name in the opt77 and opt60: if this option is already in the subscriber's DHCP request, its value is changed to the pool name. If the original value of these options is important when configuring the DHCP server, you should use option 125 for the pool name, which is always added.

Forming a DHCP request for PPPoE-clients

For the PPPoE-subscribers, PCRF forms a DHCP-request with the following options that identify the subscriber:

  • opt61 Client-Id RFC 2132- contains type "1" (ethernet) and the subscriber's MAC address in binary form;

Forming Access-Accept

After receiving a response from the DHCP server, PCRF combines it with the Access-Accept previously received from the Radius. Access-Accept DHCP options can also be specified as special VSA. When aggregating responses, the DHCP options returned by the DHCP server have a higher priority than these VSA-attributes; for example, if a different list of DNS servers is specified in both the DHCP response and the Access-Accept, the subscriber will be sent a list of DNS servers from the DHCP server response.