Interrelation of DHCP Radius proxy and L3 authorization modes [Документация VAS Experts]

Interrelation of DHCP Radius proxy and L3 authorization modes

As was stated earlier, one Radius response contains both the DHCP parameters and the fastDPI subscriber profiles in the DHCP Radius proxy mode. If this is unacceptable, starting from version 7.4, you can set the separate processing mode defined in the fastdpi.conf by the bras_dhcp_auth_mix configuration option :

  • 0 - the Radius provides the only DHCP parameters in the response to DHCP.
  • 1 - the Radius provides both the DHCP and auth-parameters in the response to DHCP. This is the default value for the option.

In the bras_dhcp_auth_mix = 0 mode L3 auth and DHCP operate independently, each responsible for its part. Both the requests being initiated by the DHCP and the L3 authorization requests are sent to the Radius. The attributes being sent within the Radius responses to DHCP and specifying the policing profiles and services are ignored. The attributes being sent within the Radius responses to L3 authorization and specifying the DHCP parameters are ignored. Let us recall that in order to enable the L3 auth the enable_auth=1 configuration option should be specified.

The bras_dhcp_auth_mix=1 mode is the most cost-effective in terms of requests to the Radius, but may be unacceptable for some providers (for example, the Session-Timeout for DHCP is set to 1 month length, but it is needed to be set to 1 hour for the auth).

Regardless of the bras_dhcp_auth_mix option value you have to specify the enable_auth = 1 in the fastdpi.conf for further CoA processing. When the L3-authorization is enabled, CoA notifications about the subscriber profiles changes and changes in the list of corresponding activated services, as well as the Disconnect-Request, will be processed. In this case, Disconnect-Request doesn't mean that the DHCP session will be terminated (the IP address is still assigned to the subscriber); it means only the fact of the authorization loss by the subscriber instead.