FastPCRF command line options:

• -c <conf_file_name> - specifies the configuration file name;
• -d – run fastPCRF as a daemon;
• -h – display help;
• -v – print version.

Configuration parameters are taken from the fastpcrf.conf file, which by default is located in the same place as fastdpi.conf — in the /etc/dpi directory.

General configuration file parameters:

• daemon — boolean parameter specifying the startup mode: if daemon=1 — run fastPCRF in daemon mode, otherwise — as a regular program. Default value is 0 (run as a regular program). This parameter can be overridden by the command line option –d.
• verbose — boolean parameter, sets the detailed logging level: if verbose=1 — the program will log its actions, incoming requests, and outgoing data in detail. Default value is 0.
  If verbose=1, the trace parameter is ignored — traces for all subsystems are output.
• trace — tracing bitmask; specifies which components require detailed logging. Default value is 0. For flag values, see the section FastPCRF Logs
• rlimit_fsize — maximum file size when writing, bytes. Default value is 1G (1073741824 bytes).
• print_stat_period — period for outputting internal statistics to the fastpcrf_stat.log file. Specified in seconds, default value is 300 (statistics are output every 5 minutes).
• work_thread_count — number of worker threads, default value is 5. Setting a value greater than 5 is pointless, as the number of worker threads cannot exceed the number of internal fastpcrf components.
• async_queue_size — size of the internal asynchronous message transfer queue; default value is 524288 (512K). It is better not to touch this parameter and especially not to reduce it, as setting too small a size can lead to loss of internal calls between components, which is equivalent to loss of functionality and/or memory leaks.

Parameters for communication with fastDPI: fdpi_server

• auth_server_port — port number on which to listen for incoming connections. Default value is 29002.
• auth_server_max_connection — maximum number of incoming connections, default value is 16, maximum value is 16. Effectively, this is the number of fastDPI servers served by this fastPCRF server.

Specifying fastDPI servers:

• fdpi_server — specifies one fastDPI server.
  Format: fdpi_server=ip%dev:port[;name=value]*, where
  • ip — IP address of the fastDPI server;
  • dev — interface from which the connection originates;
  • port — fastPCRF → fastDPI feedback port (usually 29000 — standard fdpi_ctrl port);
  • name=value — additional server parameters:
    • attr_nas_ip — IPv4 address for the NAS-IP-Address attribute; if not specified, the fastDPI IP address (ip) is used;
    • attr_nas_ipv6 — value of the NAS-IPv6-Address attribute for this fastDPI;
    • attr_nas_id — value of the NAS-Identifier attribute for this fastDPI.

The config file can include multiple fdpi_server parameters — each fastDPI server is described by a separate parameter. Maximum number of fastDPI servers is 16.

fdpi_server=127.0.0.1%lo:29000;attr_nas_ip=5.5.5.5
fdpi_server=10.20.30.40%eth1:29000;attr_nas_id=DPI2

Settings for interaction with RADIUS servers:

• default_reject_policing — default policing profile name for unauthorized users.
• default_reject_whitelist — default service profile 5 (Whitelist) name for unauthorized users.
• radius_revive_period — periodicity (in seconds) of the task to revive the connection to the main RADIUS server. Default value is 120 seconds. RADIUS servers in the radius_server list are not equivalent: the first is considered the main RADIUS server, the rest are backup. If fastPCRF detects that the main RADIUS server has not responded for too long, the connection to it is reset and fastPCRF connects to the next RADIUS server in the list. At the same time, periodic attempts to connect to the main RADIUS server are made until the main RADIUS server becomes available (removed as unnecessary since version 12.3).
• radius_max_pending_requests — maximum number of pending requests from fastDPI servers. Default value is 1,000,000. When this threshold is exceeded, incoming requests from fastDPI servers are silently dropped.
• coa_max_pending_requests — maximum number of pending CoA requests from RADIUS servers. Default value is 100,000. This value should not be higher than the value of the async_queue_size parameter, recommended value is no more than async_queue_size / 2.

radius_server — specifies the address of a RADIUS server and its configuration parameters. Each RADIUS server in the configuration file is described by a separate radius_server parameter. Usually at least 2 RADIUS servers are specified — primary and backup, accordingly, the conf-file should have at least 2 lines with the radius_server parameter — for the primary and backup servers. Maximum number of RADIUS servers is 16. RADIUS servers are not equivalent: the main server is the one described first in the conf-file, the rest are considered backup. Backup servers are used when the main server is unavailable and in the order specified in the conf-file. At any given time, only one RADIUS server is active.

The format for specifying radius_server is as follows:

radius_server=secret@ip%dev:port{;param=value}*

where:

• secret — RADIUS server secret;
• ip — RADIUS server IP address
• dev (optional) — name of the interface on which to create the connection; if not specified, the interface is chosen by the operating system;
• port — port
• param=value — list (separated by semicolons) of configuration parameters for this RADIUS server.

RADIUS server configuration parameters can be set in three ways:

1. Values that are the same for all RADIUS servers are set as regular parameters in the fastpcrf.conf file (all such parameters are listed below). The main condition is that they must be set before the radius_server parameters — only in this case are they applied to all RADIUS servers.
2. For each RADIUS server, its own configuration file can be created, the name of which is specified by the conf parameter in the radius_server line, for example:

   radius_server=secret@10.10.3.5:1812;conf=radius-main.conf

   values from radius-main.conf override the default parameter values.

3. Parameters unique to a specific RADIUS server can be set directly in the radius_server line, for example:

   radius_server=secret@10.10.3.5:1812;conf=radius-main.conf;msg_auth_attr=1

   Here the msg_auth_attr parameter is set for the specific server 10.10.3.5 and overrides the setting of the corresponding parameter in the configuration file radius-main.conf. Note that the order in radius_server matters: parameters are applied exactly in the order they are specified in radius_server.
   If in the example above conf and msg_auth_param are swapped and msg_auth_param=0 is set in the conf-file radius-main.conf , then msg_auth_param=0 from radius-main.conf will be applied.

The following lists RADIUS server parameters that can be set individually for each RADIUS server. The parameter names in the main conf-file fastpcrf.conf are given, with the names as they are set in the radius_server parameter and in a separate RADIUS server conf-file in parentheses:

• radius_dead_timeout (dead_timeout) — frequency of pinging the RADIUS server in seconds when it is in the Dead state. In the Dead state, the server is pinged every radius_dead_timeout seconds: a ping is sent and the server transitions to the Dead-ping-sent state. That is: if radius_dead_timeout=3600 (1 hour), then the RADIUS server cannot transition to the Alive state sooner than an hour after transitioning to the Dead state.
• radius_max_connect_count (max_connect_count) — maximum number of connections to one RADIUS server, default value is 16. According to the main RADIUS specification (RFC 2865), the identifier allowing matching a request with a response is allocated a field of 1 byte, meaning one connection can simultaneously handle no more than 256 requests. To overcome this limitation, the specification suggests creating multiple connections to one RADIUS server. Effectively, this parameter sets the number of simultaneous requests to one RADIUS server: radius_max_connect_count * 256.
• radius_response_timeout (response_timeout) — timeout for waiting for a response to an Access-Request to the RADIUS server in seconds, default value is 30. If a response to the request does not arrive within this time, the request is considered dropped by the RADIUS server (e.g., due to "too many requests") and fastPCRF attempts to send the request again.
• radius_resend_count (resend_count) — maximum number of retry attempts for sending a request, default value is 0 (no retry). If the number of retry attempts is exhausted and no response is received from the RADIUS server, fastPCRF does not notify the fastDPI server. FastDPI, in case of no response to authorization within a certain timeout (parameter auth_resend_timeout in the fastdpi.conf file), will send a repeat authorization request.
• radius_status_server (status_server) — boolean parameter, specifies whether the RADIUS server supports the Status-Server request (RFC 5997); default value is 1 (request supported). This type of request is used by fastPCRF to ping the RADIUS server, especially in case of temporary unavailability of the main RADIUS server. Without Status-Server support, it is difficult to determine if the main RADIUS server has recovered.
• radius_keepalive — timeout for pinging RADIUS servers in seconds. If there are no authorization requests, fastPCRF periodically pings RADIUS servers by sending Server-Status or Access-Request. If the server responds, it is considered available. Default value: 60 seconds.
• radius_ping_user_name — User-Name of a pseudo-subscriber used in Access-Request to check RADIUS server availability.
• radius_ping_user_password — password of the pseudo-subscriber used in Access-Request to check RADIUS server availability.
• radius_user_password (user_password) — string, value of the User-Password attribute in the Access-Request. Default value: VasExperts.FastDPI.
• radius_unknown_user (unknown_user) — string, user login if the real login is unknown to fastDPI. Default value: VasExperts.FastDPI.unknownUser. This is the value of the User-Name attribute in the Access-Request if radius_user_name_ip=0 and the user login is unknown. It is assumed that the RADIUS server in the Access-Accept response will report the true user login, determined by their IP address taken from the Framed-IP-Address attribute. Note that this parameter is closely related to the radius_user_name_auth parameter and is applied only if no method for setting the User-Name attribute is applicable.
• radius_unknown_user_psw (unknown_user_pws) — string, value of the User-Password attribute for an unknown user login. Applied only if radius_user_name_ip=0. Default value: VasExperts.FastDPI.
• radius_msg_auth_attr (msg_auth_attr) — boolean parameter, specifies whether the RADIUS server supports the Message-Authenticator attribute (RFC 2869). Default value is 1 (attribute supported). If the attribute is supported, fastPCRF will calculate and include Message-Authenticator in every Access-Request and Status-Server request, and also analyze this attribute in responses; if the check of the Message-Authenticator attribute in a response ends in error, such a response is dropped.
• radius_attr_nas_port_type (attr_nas_port_type) — number, value of the NAS-Port-Type attribute (RFC 2865) in the Access-Request; default value is 5 (Virtual).
• radius_attr_service_type (attr_service_type) — number, value of the Service-Type attribute (RFC 2865) in the Access-Request. Default value is 2 (Framed).
• radius_attr_cui (attr_cui) — boolean parameter, specifies whether the RADIUS server supports the Chargeable-User-Identity (CUI, RFC 4372) attribute. Default value is 1 (CUI supported). If this attribute is supported, then fastPCRF places the user login in this attribute in the Access-Request; if the login is unknown, a zero byte is placed in the attribute, which, according to RFC 4372, means requesting the login from the RADIUS server. In the Access-Accept response, fastPCRF expects to receive the true user login in this attribute, which the RADIUS server can determine by their IP address (Framed-IP-Address attribute of the request).
• radius_coa_port (coa_port) — UDP port on which Change-of-Authorization (CoA) notifications Disconnect-Request, CoA-Request (RFC 5176) are received. Default value: 3799 (defined in RFC 5176); if the RADIUS server does not support CoA, set this parameter to 0.
• radius_coa_resend_timeout (coa_resend_timeout) — timeout for resending CoA responses (Disconnect-ACK, Disconnect-NAK, CoA-ACK, CoA-NAK) in case of socket problems (usually socket queue overflow), in seconds. Default value is 1 second. The number of retry attempts is set by the radius_resend_count parameter.
• coa_reauth_ack — how to respond to CoA-Request with Service-Type=8 (Authenticate-Only):
  • 0 (default value) — according to RFC5176 p.3.2: respond with CoA-NAK with Error-Cause=507 (Request Initiated);
  • 1 — non-standard behavior: respond with CoA-ACK.