Response to Access-Request [Документация VAS Experts]

Response to Access-Request

The response to the Radius Access-Request request being in the DHCP Radius proxy mode should contain both the IP address assignment, as well as the subscriber authorization parameters in the fastDPI, i.e. the policing profiles along with the VAS Experts DPI activated services (for details of mode compatibility see DHCP Proxy and L3 authorization). It should be taken into account that even if the subscriber is blocked (for example, due to lack of funds on the account), he needs to be assigned a valid IP address. In fact, we need to get answers to two questions:

  • for the DHCP: user IP address and network settings;
  • for the authorization: whether the user is authorized or not, what is his policing profile and activated services.

From the DHCP point of view, if the answer Access-Accept or Access-Reject contains the Framed-IP-Address attribute,then this response is interpreted as a successful IP address assignment to the user. In addition to the IP address, the following DHCP options are supported:

  • The subnet mask (opt1) is extracted from the Framed-IP-Netmask Radius attribute [9] .
  • MTU size (opt26) is extracted from the Framed-MTU Radius attribute [12].
  • The duration of the IP address leasing (opt51) is extracted from the Session-Timeout Radius attribute [27]
  • The default gateway address (opt3) is extracted from the VasExperts-DHCP-Gateway VSA attribute (vendor-id = 43823, attr-id = 42).
  • The static routing table (opt121) is extracted from the Radius Framed-Route attribute [22]. The Radius response can contain up to 16 Framed-Route attributes; the attribute format is 'CIDR-netmask gateway-IP <other data>', for example, '5.128.0.0/16 192.168.10.1' - the gateway for the 5.128.0.0/16 network is 192.168.10.1 ('other data' is ignored)
  • DNS server (opt6) is extracted from the VasExperts-DHCP-DNS VSA-attributes (vendor-id = 43823, attr-id = 41). A few (up to 16) VasExperts-DHCP-DNS attributes can be specified.

Other DHCP options can be specified by special VSA attributes.

DHCP parameters that are common to all users can be specified in the fastpcrf.conf configuration file:

  • dhcp_netmask - subnet mask
  • dhcp_gateway - default gateway address
  • dhcp_lease_time - The duration of the IP address leasing specified in seconds
  • dhcp_mtu - MTU size
  • dhcp_dns - DNS server address. Each DNS server is specified by a separate dhcp_dns configuration option. Up to 16 DNS servers can be configured

The principle of converting Radius attributes to the DHCP response option is simple: if the Radius response does not contain the corresponding attribute, then its value is taken from fastpcrf.conf, in case the corresponding option is not specified in the fastpcrf.conf then the DHCP option is not included in the response.

If the Radius response contains the Framed-IP-Address attribute, it means that the user is assigned the IP address, then the type of the response (i.e. the Access-Accept access permission or Access-Reject access denial) is analyzed and the attributes describing the subscriber policing profile and the list of activated services are extracted from the response, as described in the BRAS-L3 authorization section.

If the Radius response does not contain the Framed-IP-Address attribute, then it is considered that it is not possible to lease an IP address for the user. There are no responses being sent to user equipment, which, in DHCP terms, is equivalent to refusing in the IP address assignment. The authorization parameters are completely ignored.