Radius Access-Reject
Access-Reject
authorization denial (Access-Challenge
also treated as authorization denial) should contain special user attributes:
- special policing profile (for example, strong bandwidth reduction)
- the name of service 5 profile (whitelist) – specifies the list of sites the user is allowed to visit
Note that the authorization denial is interpreted by L3 BRAS as a special, highly restricted subscriber access to the network. That is the network access will be provided with some exceptions. So these restricted access options are optionally specified in the Access-Reject attributes using a special policing profile and a service 5 along with the Captive Portal.
Framed-IP-Address
– is the user IP address (is the same as in the request). It is the mandatory attribute.- The username (login) – corresponds to one of the following attributes:
VasExperts-UserName
,Chargeable-User-Identity
(CUI),User-Name
VasExperts-Policing-Profile
– is the name of the user policing profile; if this attribute is not present in the Access-Reject, then the user is assigned the default profile specified by thedefault_reject_policing
configuration option in the fastpcrf.conf file. There is no more than oneVasExperts-Policing-Profile
attribute is allowed to use within the Access-Reject.VasExperts-Service-Profile
– the name of service 5 profile (whitelist), let's consider for example:VasExperts-Service-Profile=5:my_white_list
. If this attribute is not present in the Access-Reject then the user will be assigned a profile associated to the service 5 according to thedefault_reject_whitelist
option specified in the fastpcrf.conf file.VasExperts-Multi-IP-User
– indicates how many IP addresses are associated with the user. By default if theVasExperts-Multi-IP-User
attribute is not specified it is assumed that the user is assigned just one IP address. Note that this attribute defines an important user property which strongly affects the fastDPI behavior.
The key features of Access-Reject handling
The attributes used in the Access-Reject are applied temporarily. While the user properties delivered within the Access-Accept attributes are stored in the internal fastDPI database (UDR) and are applied even after the reboot, the Access-Reject attributes are applied without being saved in the UDR database. That is, when the fastDPI is rebooted the user properties delivered last time within the Access-Accept will be restored and applied by the fastDPI until it receives new ones in response to the Access-Request.
Some of the Radius client implementations do not allow to use the subscriber attributes within the Access-Reject. In such cases the VAS Experts DPI offers the VasExperts-Restrict-User VSA.