DHCP Radius proxy - Access-Request
The Radius Access-Request request has the following attributes:
User-Name
- is the MAC address from the DHCP request in the following format: XX:XX:XX:XX:XX:XX. It is possible to use QinQ-tags as a User-Name for Q-in-Q-networks, see below.User-Password
- is the value of thedhcp_user_psw
configuration option in the fastpcrf.conf file. This option is used to set the password for the DHCP Radius proxy mode. If the option is not specified then the Radius serveruser_password
option is used instead.NAS-IP-Address
- if the DHCP request contains the Relay agent IP address, then theNAS-IP-Address
attribute value will be substituted with the IP address. If there is no Relay agent, then the attribute contains the virtual IP address of the VAS Experts DPI specified by thebras_arp_ip
option within the fastdpi.conf file. By analyzing this attrubute value you can determine which subnetwork the Radius request (which Relay agent) came from.NAS-Port-Type
- contains theradius_attr_nas_port_type
option value for the corresponding Radius server; the attribute is specified in the fastpcrf.conf file.NAS-Port
- is used only for VLANs (with one VLAN) and corresponds to the VLAN number.NAS-Port-Id
: is used only for QinQ networks (with double VLAN) and contains corresponding VLANs as a string separated by '/', for example: "123/67"Framed-IP-Address
- this attribute contains the subscriber IP address; it is used only in case the subscriber IP address is known.
VSA (Vendor-Specific Attributes) for the VendorId=43823 (corresponds to the VAS Experts DPI):
- [6]
VasExperts-Service-Type
- contains value 1. If you analyze the attribute value then it can be estimated what Access-Request type is received: 0 - corresponds to the authorization request, 1 - corresponds to the DHCP request - [37]
VasExperts-DHCP-Request
- corresponds to the DHCP request type: 0 - stands for the DHCP-Discover, 1 - stands for the DHCP-Inform, 2 - stands for the DHCP-Request - [38]
VasExperts-DHCP-RelayRemoteId
- corresponds to the Relay Remote Id suboption value being contained in the 82 (Relay Agent Info) DHCP request option (binary) - [39]
VasExperts-DHCP-RelayCircuitId
- corresponds to the Relay Circuit Id suboption value being contained in the 82 ((Relay Agent Info) DHCP request option (binary) - [36]
VasExperts-DHCP-Client-IP
- the desired user IP address. It is extracted from the 50 DHCP-Discover (Requested Client IP address) option; it can be used only as a hint (hint) when being handled. This is the same IP address as theFramed-IP-Address
option value in case of DHCP-Inform - [32]
VasExperts-DHCP-Hostname
- is the 12 option value (hostname) of DHCP request (binary) - [33]
VasExperts-DHCP-ClientId
- is the 61 option value (client id) of DHCP request (binary) - [34]
VasExperts-DHCP-ClassId
- is the 60 option value (vendor class id) of DHCP request (binary) - [35]
VasExperts-DHCP-RelayInfo
- is the 82 option value (relay agent info) of DHCP request (binary)
Attributes that match the DHCP options values will be added to the Access-Request only if the corresponding option is contained within he DHCP request.
User-Name attribute values
Starting from the VAS Experts DPI version 7.4 is can be specified which options are allowed to be included in the User-Name attribute. The radius_user_name_dhcp
option within the fastpcrf.conf file is designed for this purpose and specifies the possible User-Name values in the order of preference:
mac
- User-Name = MAC address in the XX:XX:XX:XX:XX:XX formatqinq
- for the QinQ (vlan-per-user) networks: User-Name = outerVLAN.innerVLAN, for example, "56.176"- opt61@opt60 - DHCP option values 61 (MAC address) '@' opt60 (Vendor-Class-Id)
- chaddr@opt60 - MAC address from DHCP packet header (chaddr) '@' opt60 (Vendor-Class-Id)
The example:
# If the QinQ are present, then the User-Name=outerVLAN.innerVLAN # else User-Name=MAC address radius_user_name_dhcp=qinq,mac
The default values: radius_user_name_dhcp=mac,qinq
The differences from the Radius request for authorization
You can distinguish the "pure" authorization request from the request in the "DHCP Radius proxy" mode by the VasExperts-Service-Type
attribute value.
It should be taken into account that even in the "DHCP Radius proxy" mode when the IP address is successfully assigned to the fastDPI server, it is needed to receive the user login, its policing profile and the services being activated from the corresponding response, as described in the BRAS authorization section, otherwise the fastDPI will be unable to apply the correct policies to user traffic, especially in case of a corporate multi-IP user having the multiple IP addresses binded to the same login.
CoA
CoA notifications are supported in the DHCP Radius proxy mode, for details, see DHCP Proxy and L3 authorization. Please note that CoA notification is not associated with the DHCP parameters being changed, it only indicates that the user authorization parameters have been changed and the DHCP session is the same.
The same applies to the Disconnect-Request notification: this notification only indicates that the user has become unauthorized (run out of money, for example), but their IP address and other DHCP attributes remain unchanged. Disconnect-Request does not recreate the DHCP session.