Response to Access-Request
The response to the Radius Access-Request request being in the DHCP Radius proxy mode should contain both the IP address assignment, as well as the subscriber authorization parameters in the fastDPI, i.e. the policing profiles along with the VAS Experts DPI activated services (for details of mode compatibility see DHCP Proxy and L3 authorization). It should be taken into account that even if the subscriber is blocked (for example, due to lack of funds on the account), he needs to be assigned a valid IP address. In fact, we need to get answers to two questions:
- for the DHCP: user IP address and network settings;
- for the authorization: whether the user is authorized or not, what is his policing profile and activated services.
From the DHCP point of view, if the answer Access-Accept or Access-Reject contains the Framed-IP-Address
attribute,then this response is interpreted as a successful IP address assignment to the user. In addition to the IP address, the following DHCP options are supported:
- The subnet mask (opt1) is extracted from the
Framed-IP-Netmask
Radius attribute [9] . - MTU size (opt26) is extracted from the
Framed-MTU
Radius attribute [12]. - The duration of the IP address leasing (opt51) is extracted from the
Session-Timeout
Radius attribute [27] - The default gateway address (opt3) is extracted from the
VasExperts-DHCP-Gateway
VSA attribute (vendor-id = 43823, attr-id = 42). - The static routing table (opt121) is extracted from the Radius
Framed-Route
attribute [22]. The Radius response can contain up to 16 Framed-Route attributes; the attribute format is 'CIDR-netmask gateway-IP <other data>', for example, '5.128.0.0/16 192.168.10.1' - the gateway for the 5.128.0.0/16 network is 192.168.10.1 ('other data' is ignored) - DNS server (opt6) is extracted from the
VasExperts-DHCP-DNS
VSA-attributes (vendor-id = 43823, attr-id = 41). A few (up to 16) VasExperts-DHCP-DNS attributes can be specified.
Other DHCP options can be specified by special VSA attributes.
DHCP parameters that are common to all users can be specified in the fastpcrf.conf configuration file:
dhcp_netmask
- subnet maskdhcp_gateway
- default gateway addressdhcp_lease_time
- The duration of the IP address leasing specified in secondsdhcp_mtu
- MTU sizedhcp_dns
- DNS server address. Each DNS server is specified by a separatedhcp_dns
configuration option. Up to 16 DNS servers can be configured
The principle of converting Radius attributes to the DHCP response option is simple: if the Radius response does not contain the corresponding attribute, then its value is taken from fastpcrf.conf, in case the corresponding option is not specified in the fastpcrf.conf then the DHCP option is not included in the response.
If the Radius response contains the Framed-IP-Address
attribute, it means that the user is assigned the IP address, then the type of the response (i.e. the Access-Accept access permission or Access-Reject access denial) is analyzed and the attributes describing the subscriber policing profile and the list of activated services are extracted from the response, as described in the BRAS-L3 authorization section.
If the Radius response does not contain the Framed-IP-Address
attribute, then it is considered that it is not possible to lease an IP address for the user. There are no responses being sent to user equipment, which, in DHCP terms, is equivalent to refusing in the IP address assignment. The authorization parameters are completely ignored.