This is an old revision of the document!
4 FastPCRF settings for Radius servers
Radius servers within the radius_server list are unequal: the first one is considered to be the main Radius server, whereas the rest are considered to be as backup servers. If FastPCRF detects that the main Radius server is not responding for a long time, the corresponding will be reset and FastPCRF will connect to the next radius server from the list. However, the FastPCRF periodically attempts to connect to the main radius server until it becomes available.
| Parameter | Format | Default value | Description |
|---|---|---|---|
| default_reject_policing | string | no | The default policing profile name for unauthorized users |
| default_reject_whitelist | string | no | Service 5 (White list) profile name used by default for unauthorized users. |
| radius_revive_period | seconds | 120 | Periodicity of the reconnection to the main Radius server. |
| radius_max_pending_requests | number | 1000000 | The maximum number of pending requests from the FastDPI servers. When this threshold is exceeded, the incoming requests from the FastDPI servers will not be handled. |
| coa_max_pending_requests | number | 100000 | The maximum number of pending CoA requests from the Radius servers. This value should not be higher than the value of the async_queue_size parameter; the recommended value should not be more than async_queue_size / 2. |
| radius_server | secret@ip%dev:port{;param=value}* | no | Specifies a single Radius server and its configuration parameters: secret - the secret of the Radius server; IP - the Radius server IP address; dev (optional) - the name of the interface used to establish connection; if it is not specified, then the interface will be selected by the operating system; port is the port; param=value is the configuration parameters (via semicolon) for a given Radius server. See the Radius_server parameter description |
Radius_server parameter description
Each Radius server is described by a separate radius_server parameter in the configuration file. At least two radius servers are typically specified: the primary Radius server and the backup one, it implies that there must be at least two lines with the radius_server parameter, i.e. one line for the primary Radius server and second one - for the backup servers. The maximum number of Radius servers is 16. The Radius server specified in the configuration file in the first place is considered as the main server, whereas the rest ones (specified within the configuration file later on) are considered the backup ones. Backup servers are used when the main one is unreachable in the order in which they are specified within the conf file. At any given moment, only one Radius server is active.
The configuration parameters of the radius server can be specified in three ways:
- Values that are the same for all the Radius servers - they are specified as normal parameters in the fastpcrf.conf file. The main idea is that they must be specified before the
radius_serverparameters, only in this case they will be applied to all the Radius servers. - You can create your own configuration file for each radius-server, whose name is specified by the
confparameter within theradius_serverline, for example:radius_server=secret@10.10.3.5:1812;conf=radius-main.conf
In this example, the values from radius-main.conf take precedence over the values of common Radius servers parameters.
- Parameters unique to a given radius server can be specified explicitly in the
radius_serverline, for example:radius_server=secret@10.10.3.5:1812;conf=radius-main.conf;msg_auth_attr=1
In this example, the msg_auth_attr parameter is specified for a given 10.10.3.5 server and overrides the value of the corresponding parameter in the radius-main.conf configuration file. Note that the order in which the parameters appear within the radius_server line is very important: the parameters will by applied following the exact order they are specified in the radius_server line. If you invert conf and msg_auth_param in the example above and if msg_auth_param=0 within the radius-main.conf configuration file, then msg_auth_param= 0 will be used from radius-main.conf instead.
Individual parameters of Radius servers
| Parameter in fastpcrf.conf | Parameter in radius_server | Format | Default value | Description |
|---|---|---|---|---|
| radius_dead_timeout | dead_timeout | seconds | 60 | If within this period there is no responses from the Radius server, whereas requests are being sent, then the server is considered to be inactive, so the FastPCRF switches to the next Radius server from the list. If the main radius-server does not respond, then the radius_revive_period timer will be started and after its expiration a reconnection attempt to the main Radius server will be made. |
| radius_max_connect_count | max_connect_count | number | 16 | The maximum number of connections to one Radius server. According to RFC 2865, an identifier allowing you to compare request and response occupies 1 byte field, which suggests that one connection can simultaneously handle up to 256 requests. To overcome this limitation, the specification suggests creating several connections to a single Radius server. Actually, this parameter specifies the number of simultaneous requests to one Radius server:radius_max_connect_count * 256. |
| radius_response_timeout | response_timeout | seconds | 30 | Timeout for a response to an Access-Request request to the Radius server. If the response to the request hasn't been received within this period of time, the request is considered to be dropped by the Radius server (for example, due to “too much simultaneous requests”) and fastpcrf tries to send the request again. |
| radius_resend_count | resend_count | number | 0 | The maximum number of attempts to resend the requests. If the number of attempts to resend the requests is exhausted and the response from the Radius server is not received, fastpcrf does not report anything to the fastdpi server. If there is no response to authorization request within a certain timeout (the auth_resend_timeout parameter in the fastdpi.conf file) the Fastdpi will send a renewed authorization request. |
| radius_status_server | status_server | boolean type | 1 | The parameter specifying whether the Radius server supports the Status-Server request defined in the RFC 5997. This request type is used by fastpcrf to ping the Radius server, especially when the main radius server is temporarily unavailable. Without Status-Server support, it is very difficult to understand that the main Radius server has recovered. |
| radius_user_password | user_password | line | VasExperts.FastDPI | User-Password attribute value in the Access-Request request. |
| radius_user_name_auth | user_name_auth | line | login,ip,qinq | Starting from the VAS Experts DPI version 7.4, в fastpcrf.conf параметр radius_user_name_auth задает значение атрибута User-Name в порядке предпочтения: login - использовать логин абонента ip - использовать IP-адрес абонента qinq - использовать QinQ-тег в формате «outerVLAN.innerVLAN»; например, «101.205» |
| radius_unknown_user | unknown_user | строка | VasExperts.FastDPI.unknownUser | Логин пользователя, если настоящий логин неизвестен FastDPI. Это значение атрибута User-Name запроса Access-Request, если radius_user_name_ip=0 и логин пользователя неизвестен. Предполагается, что radius-сервер в ответе Access-Accept сообщит истинный логин пользователя, определенный по его IP-адресу, взятому из атрибута Framed-IP-Address. Следует учитывать, что данный параметр тесно связан с параметром radius_user_name_auth и применяется, только если никакой способ задания атрибута User-Name не применим. |
| radius_unknown_user_psw | unknown_user_pws | строка | VasExperts.FastDPI | Значение атрибута User-Password для неизвестного логина пользователя. Применяется только если radius_user_name_ip=0. |
| radius_msg_auth_attr | msg_auth_attr | булев тип | 1 | Параметр, поддерживает ли radius-сервер атрибут Message-Authenticator из RFC 2869. Если атрибут поддерживается, FastPCRF будет вычислять и включать Message-Authenticator в каждый запрос Access-Request и Status-Server, а также анализировать этот атрибут в ответах; если в ответе проверка атрибута Message-Authenticator заканчивается ошибкой, то такой ответ отбрасывается. |
| radius_attr_nas_port_type | attr_nas_port_type | число | 5 (Virtual) | Значение атрибута NAS-Port-Type (RFC 2865) запроса Access-Request. |
| radius_attr_nas_ip_address | attr_nas_ip_address | IPv4-адрес | нет | Значение атрибута NAS-IP-Address из RFC 2865 запроса Access-Request. Если не задан – атрибут NAS-IP-Address не включается в запрос. |
| radius_attr_nas_id | attr_nas_id | строка | нет | Значение атрибута NAS-Identifier запроса Access-Request. Согласно RFC2865, либо NAS-IP-Address, либо NAS-Identifier должен быть задан в Access-Request. |
| radius_attr_service_type | attr_service_type | число | 2 (Framed) | Значение атрибута Service-Type из RFC 2865 запроса Access-Request. |
| radius_attr_cui | attr_cui | булев тип | 1 | Параметр, поддерживает ли radius-сервер атрибут Chargeable-User-Identity (CUI) из RFC 4372. Если этот атрибут поддерживается, то FastPCRF в запросе Access-Request помещает в этот атрибут логин пользователя; если логин неизвестен, то в атрибут помещается нулевой байт, что означает, согласно RFC 4372, запрос логина у radius-сервера. В ответе Access-Accept FastPCRF ожидает прихода в этом атрибуте истинного логина пользователя, который radius-сервер может определить по его IP-адресу (атрибут Framed-IP-Address запроса). |
| radius_coa_port | coa_port | UDP-порт | 3799 | UDP-порт, на который поступают Change-of-Authorization (CoA) оповещения Disconnect-Request, CoA-Request из RFC 5176. Если radius-сервер не поддерживает CoA, следует задать этому параметру значение 0. |
| radius_coa_resend_timeout | coa_resend_timeout | секунды | 1 | Тайм-аут перепосылки CoA-ответов (Disconnect-ACK, Disconnect-NAK, CoA-ACK, CoA-NAK) в случае проблем с сокетом (обычно переполнение очереди сокета). Количество повторных попыток задается параметром radius_resend_count. |
| coa_reauth_ack | coa_reauth_ack | булев тип | 0 | Как отвечать на CoA-Request с Service-Type=8 (Authenticate-Only): 0 (значение по умолчанию) - по RFC5176 p.3.2: отвечать CoA-NAK с Error-Cause=507 (Request Initiated) 1 - нестандартное поведение: отвечаем CoA-ACK |
Was this information helpful?