FastRADIUS (RADIUS Event Monitor) is designed to create an IP-LOGIN binding in DPI in networks with dynamic IP address assignment based on RADIUS Accounting (Mapping IP-LOGIN).
FastRADIUS supports the following commands in FastDPI:

1. Support for subscribers with single IPv4 address and IPv6 subnet
   Binding IP address to LOGIN:

   fdpi_ctrl load --bind --user user_name:ip_address

   Removing IP ↔ login binding:

   fdpi_ctrl del --bind --login user_name

2. Support for subscribers with multiple IP
   Binding IP address or IP block to LOGIN:

   fdpi_ctrl load --bind_multi --user user_name:ip_address_or_block

   Removing one of IPs bound to LOGIN:

   fdpi_ctrl del --bind_multi --ip ip_address

It is also possible to assign CG-NAT (service 11) based on specified parameters.

RADIUS Accounting is delivered to FastRADIUS on a standard Linux interface specified in the configuration file (in_dev) by mirroring existing RADIUS traffic or using a RADIUS proxy (e.g., FreeRADIUS). In this case, FastRADIUS only receives the mirror and does not respond to the RADIUS server. Interaction with standard Linux interfaces is handled via libpcap.

Settings are located in the file /etc/dpi/fdpi_radius.conf.

To apply the configuration, restart the service:

systemctl restart fastradius

• in_dev=eth0 — name of the listening Linux interface
• rad_acct_port=1813,1814,1815 — listening port number (or comma-separated list of ports) for Radius Accounting packets
• save_pdu_proto=0 — save PDU in pcap format for analysis. Set by bitmask:
  • 0x00 — write nothing
  • 0x01 — broken/unparsed RADIUS packets
  • 0x02 — all RADIUS packets
  • 0x04 — broken/unparsed DIAMETER packets
  • 0x08 — all DIAMETER
  • 0x10 — broken TACACS+ packets
  • 0x20 — all TACACS+ packets
• rad_check_code_pdu=2:4 — analyze PDU with codes 2 and 4
• rad_check_acct_status_type=1:3 — analyze PDU with statuses 1 and 3
• mem_preset=1 — initialize memory on startup
• fdpi_servers=127.0.0.1:29000,123.45.67.85:29000 — list of DPI servers to send data to, where 29000 is the default control port

• num_threads=1
• rx_bind_core=0
• services_bind_cores=0
• engine_bind_cores=0
• fifo_bind_cores=0
• snaplen=2000
• timeout_alarm=5
• dbg_log_mask=0x31

• ipfix_dev=eno8 — name of the Linux interface for IPFIX export. IPFIX Export Template Formats from FastRADIUS
  
• ipfix_tcp_collectors=172.32.0.239:1502 — IPFIX collector address

RADIUS Accounting must be fed into the DPI device ports along with network traffic. This can be achieved by mirroring the ports connected to the RADIUS server. In this case, FastRADIUS only receives the mirror and does not respond to the RADIUS server.

FastRADIUS can run on the same server as FastDPI or be deployed on an external server. Two virtual interfaces, TAP0 and TAP1, are used to isolate the required traffic.

Specify the port in the configuration:

in_dev=tap1

Deploying Radius Monitor on the Same Server. Using a Bridge:

Deploying Radius Monitor on an External Server. Using a Tunnel:

• TAP0 — used for traffic diversion
• TAP1 — listened on by Radius Monitor
• A Bridge or Tunnel is created between TAP0 and TAP1 for traffic forwarding.
• MAC learning is disabled on the TAP0 interface

Execute the following commands from the console:

ip tuntap add tap0 mode tap
ip tuntap add tap1 mode tap
 
ip link set dev tap0 up
ip link set dev tap1 up
 
ip link add br0 type bridge
 
ip link set tap0 master br0
bridge link set dev tap0 learning off
ip link set tap1 master br0
 
ifconfig tap0 192.168.4.20 up
ifconfig tap1 192.168.4.21 up
ifconfig br0 up

Enable the traffic diversion service on FastDPI:

fdpi_ctrl load profile --service 14 --profile.name radius  --profile.json '{ "typedev" : "tap","dev" : "tap0","udp" : [ 1813,1814,1815 ] }' --outformat=json 
fdpi_ctrl load --service 14 --profile.name radius --ip 10.16.252.11
fdpi_ctrl load --service 14 --profile.name radius --ip 10.16.252.12

where:

• 1813,1814,1815 — ports on which RADIUS Accounting is transmitted
• 10.16.252.11, 10.16.252.12 — IP addresses of RADIUS servers sending RADIUS Accounting

• rad_auth_port=1645 — listening port number (or comma-separated list of ports) for RADIUS Authentication packets
  
• bind_multi=true — allow multiple IPs per USER-NAME (see command load --bind_multi)

Creating named NAT profiles on FastDPI:

fdpi_ctrl load profile --service 11 --profile.name nat_profile_all --profile.json '{ "nat_ip_pool" : "5.200.43.0/24,5.200.44/25", "nat_tcp_max_sessions" : 2000, "nat_udp_max_sessions" : 2000 }'

In the FastRADIUS configuration file /etc/dpi/fdpi_radius.nat, specify IP ranges and their corresponding NAT profile names. Example:

0.0.0.0/0	nat_profile_all
10.0.0.0/8	nat_profile_1
10.1.1.0/24	nat_profile_2

When a more specific (concrete) profile is specified for an address, it is selected.

Configuration parameters for binding addresses and subnets to subscribers are specified in the /etc/dpi/fdpi_radius.conf file:

• bind_ipv6_address
  • 0 — do not bind address to subscriber (default)
  • 1 — bind
    Binding is similar to the bind command in fdpi_ctrl). The address is taken from the RADIUS attribute Framed-IPv6-Address(168)
• bind_ipv6_subnet
  • 0 — do not bind (default)
  • 64 — bind only for /64 subnets
  • -1 — bind for any subnets.
    The subnet is taken from the RADIUS attribute Delegated-IPv6-Prefix(123)

Parameters bind_ipv6_address and bind_ipv6_subnet can be set simultaneously.
If a /128 mask is present in Framed-IPv6-Prefix, it is not checked against the restriction set by the bind_ipv6_subnet value.

The subscriber is identified by the RADIUS attribute User-Name or Calling-Station-ID (depending on the login_replace setting)

• login_replace=1 — in this case, the RADIUS attribute Calling-Station-ID (IMSI) is used for subscriber identification instead of User-Name, if present in RADIUS.
• ipfix_extra_gsm=1 — enable support for sending additional attributes from RADIUS Accounting via IPFIX.

Used when the RADIUS monitor and SCAT serve multiple regions, and user-name might overlap across regions; this allows separating them into different logins.

1. Enable the setting rad_prefix_info=1
2. Add to the file /etc/dpi/prefixes.info:

   172.17.76.1 MSK-
   172.17.76.2 MSK-
   172.17.76.3 SPB-
   172.17.76.4 SPB-
   172.17.76.5 SPB-

   where:
   

   • first field - NAS-IP-Address from the RADIUS packet
   • second field - prefix to be added to the Login