This section describes the minimum configuration editing you shoud make to provide FreeRadius 3 interaction with the FastPCRF.

Suppose the Radius server IP address is 192.168.1.200 and its port is 1812.

First you should add the vendor-specific dictionary.vasexperts attribute dictionary to the RADIUS server dictionary. For this purpose:

• Copy /usr/share/dpi/dictionary.vasexperts dictionary from the fastpcrf distro to the $freeRadius/share/freeradius directory
• Add to the $freeRadius/share/freeradius/dictionary main dictionary the following line:

$INCLUDE dictionary.vasexperts

Parameters of connection with the RADIUS server should be specified in the fastpcrf.conf configuration file of our instance, which is a RADIUS client:

radius_server=secret123@192.168.1.200%eth0:1812;msg_auth_attr=1

Here eth0 is the local device name (network card name) used to establish the connection with the 192.168.1.200 server.

For each FastPCRF instance, the first step is to create a client in the FreeRadius. Let's name the client as fastdpi1. All clients (FastPCRF instances) will refer to the same fastdpi-vs virtual server.

Add the following lines to the Radius server raddb/clients.conf:

client fastdpi1 {
ipaddr = 192.168.1.32
secret = secret123
require_message_authenticator = yes
# add_cui = yes
virtual_server = fastdpi-vs
}

Here:

• ipaddr specifies the FastPCRF instance IP address, in our example it is 192.168.1.32
• secret is a unique secret known both to the Radius server and a client (i.e., FastPCRF instance). The value is arbitrary and must match the corresponding setting in the fastpcrf.conf:

  radius_server=secret123@192.168.1.200%eth0:1812

• require_message_authenticator is an indicator specifying whether the Message-Authenticator attribute is mandatory within the RADIUS request. RFC 2869 strongly recommends to use this attribute. This setting should be consistent with the msg_auth_attr parameter in fastpcrf.conf: radius_server=…;msg_auth_attr=1
• add_cui should be deactivated. The RADIUS server sends for security reasons the CUI (Chargeable-User-Identity) attribute as an encrypted user login hash value, which is unacceptable for FastDPI due to it expects a real user login. Therefore, the add_cui parameter is commented out.
• virtual_server specifies the name of the virtual server that we will configure below.

To create a virtual server configuration, you should copy the raddb/sites-available/default file included in the FreeRadius distribution, to the raddb/sites-enabled/fastdpi-vs one and then edit fastdpi-vs:

• set the virtual server name by changing the server default line at the beginning of the file to server fastdpi-vs
• in the listen section for auth requests (type = auth), you should specify both the IP address and the port used to listen to incoming requests (note that this is the local address of the RADIUS server):

ipaddr = 192.168.1.200
port = 1814
interface = eth0

• delete the remaining listen sections (or comment out since we don't need them anymore)
• all the substantive work on generating an Access-Request response is specified within the post-auth section. It is impossible to give any recommendations here since it all depends on the specific provider, on the environment of the RADIUS server, since it is unknown where the data come from.For more detailed information on the list of required attributes see Parameters of responses being sent from Radius servers to FastPCRF. As an example, the static filling of the Access-Accept response attribute is given (don't forget, that if there is Chargeable-User-Identity attribute containing a single zero byte within the Access-Request request, it means that fastpcrf does not know the user login and requests it from the RADIUS server; in this example, the CUI is formed from the Framed-IP-Address for illustration purpose only):

post-auth {
…
#
# Add VasExperts attributes
#
if ( Chargeable-User-Identity == 0x00 ) {
update reply {
Chargeable-User-Identity := "u-%{Framed-IP-Address}"
}
}
else {
update reply {
Chargeable-User-Identity := "%{Chargeable-User-Identity}"
}
}
update reply {
Framed-IP-Address := "%{Framed-IP-Address}"
VasExperts-Policing-Profile := "test1"
VasExperts-Service-Profile += "1:test1"
Session-Timeout := 300
}
…
}

• The cui parameter of the post-auth section is commented out! FreeRadius sends the hash value of the login within the CUI instead of the user login , which we do not need, so we will form the CUI attribute in the response independently, see the example above.
• To the Post-Auth-Type REJECT section (formation of the Access-Reject) below you should add:
  • CUI attribute, if the FastPCRF requests it and the user is known;
  • The VasExperts-Policing-Profile attribute specifying the policing profile for unauthorized users (in the example below, the profile name is plc_unauth, you will have a different one);
  • The VasExperts-Service-Profile attribute specifying the profile of service 5 ("White List"). It is usually a profile allowing unauthorized users to access only the Captive Portal. In the example below, the profile name is cp_unauth, it will differ in your case.

Example:

if (Chargeable-User-Identity == "\0" ) {
update reply {
Chargeable-User-Identity := "login"
}
}
update reply {
VasExperts-Policing-Profile := "plc_unauth"
VasExperts-Service-Profile += "5:cp_unauth"
}

To do so you should add two entries for FastPCRF to the raddb/users file:

VasExperts.FastDPI.unknownUser Cleartext-Password := "VasExperts.FastDPI"
DEFAULT Cleartext-Password := "VasExperts.FastDPI"

The first entry specifies the user name which FastPCRF sends if the user login is unknown, for detailed info, see the description of the radius_unknown_user configuration parameter. This name is specified in the FastPCRF, as well as the password, see the description of the radius_unknown_user_psw configuration parameter. The second entry sets the password which FastPCRF uses to send requests for known logins. This password is configured in the FastPCRF, see the description of the radius_user_password configuration parameter.