The policing profile and the activated services list of are transferred in the Vendor-Specific attribute [26] which is sent in responses.

VENDOR          VasExperts                  43823
BEGIN-VENDOR    VasExperts
ATTRIBUTE       VasExperts-Policing-Profile 1 string
ATTRIBUTE       VasExperts-Service-Profile  2 string
ATTRIBUTE       VasExperts-Enable-Service   3 string
ATTRIBUTE       VasExperts-Multi-IP-User    4 integer
ATTRIBUTE       VasExperts-UserName         5 string
ATTRIBUTE       VasExperts-Restrict-User    7 byte или integer
END-VENDOR      VasExperts

A string attribute specifying the user policing profile name. It should be no more than one such attribute in a response to Access-Request.

A string attribute specifying the user policing profile name for a given fastDPI service. The following format is used:

service_id:profile_name

Here:

service_id - a number, FastDPI service ID profile_name - a string, service profile name For example, to enable the NAT service (11) with the profile "cgnat":

VasExperts-Service-Profile="11:cgnat"

A PDU can contain zero or more VasExperts-Service-Profile attributes — one attribute for each service. If a profile is associated with a service, the service is considered enabled (activated).

In order to disable any service in CoA you should use the VasExperts-Enable-Service attribute. For example, to disable service 5 in CoA, you should specify: VasExperts-Enable-Service="5:off". To enable service 5 with associated my_white_list profile, you should specify:

VasExperts-Service-Profile = "5: my_white_list"

string parameter specifying the enabling/disabling of a given service that require no profile. Format to use:

service_id:flag

here:

service_id – a number, FastDPI service ID

flag – an indicator whether the service is enabled/disabled. Valid values are:

1, on, enabled – the service is enabled

0, off, disabled – the service is disabled

An example of enabled service: 5:on

An example of disabled service: 5:off

When dealing with CoA, this attribute should be used in order to disable the service. For example, disabling of service 5 looks like this:

VasExperts-Enable-Service = "5: off"

. While the enabling of service 5 with the associated my_white_list would appear as follows:

VasExperts-Service-Profile = "5: my_white_list"

Enabling of service 4 "black-list" is managed by the global fastDPI settings. Service 4 is usually globally enabled in order not to violate the Russian federal law.

Indicates whether multiple IP addresses are associated with this subscriber or only one. This attribute can be either a byte or a 32-bit number. A value of 1 means that several IP addresses can be associated with a given subscriber (corporate client), a value of 0 defines that only one IP address can be associated. If the VasUperts-Multi-IP-User attribute is not present in the PDU, it is considered that only one IP address is associated with the subscriber.

If the subscriber has been assigned VasExperts-Multi-IP-User=1, then the properties (enabled services and policing) will be applied to all subscriber IP addresses. In this case the subscriber login is used as a key. It should be noted that the VAS Experts DPI authorizes each subscriber IP address: for example, if there are 10 IP addresses associated with the subscriber, an Access-Request authorization request would be sent for each address. It is expected that the answer for each IP address of a multi-IP subscriber would contain the same set of enabled services and the same profiles. The answer to the authorization of each of the 10 IP addresses will be applied to the subscriber login, that is, all the IP addresses belonging to the login get the same set of services and the same policing.

Subscriber login.

This attribute is introduced to support some billing systems that which by their very nature cannot include a User-Name attribute within the Access-Accept/Reject response, but can include any VSA attribute. If the response contains both attributes,i.e. the User-Name and the VasExperts-UserName, then the preference will be given to the VasExperts-UserName one.

Indicates whether the subscriber is blocked or not.

From the the VAS Experts DPI point of view, an Access-Accept response means that the subscriber is not blocked and in case of subscribers that are currently blocked the Access-Reject should contain special subscriber attributes specifying the restrictions. But some RADIUS client implementations do not support the feature to return subscriber attributes in the Access-Reject. For such implementations, the VasExperts-Restrict-User attribute is provided:

value 0 means that subscriber is not blocked

value 1 means that subscriber is blocked

The VAS Experts handles Access-Accept as Accept-Reject in the case of VasExperts-Restrict-User=1.

Indicates of enabling/disabling of subscriber's local traffic interconnect.

This attribute refers to L2 BRAS. If local interconnect is enabled, L2 BRAS interconnects any two local subscribers by default. Using this attribute you can disable interconnect:

VasExperts-Enable-Interconnect=0

A packet from one local subscriber to another will be dropped, if at least one of the subscribers has disabled interconnect.