Ubiquiti EdgeRouters pppoe Radius support

UBNT EdgeRouters can act as a PPPoE server, with authentication of CPEs, providing statistics, blocking end users, and setting up speed limits and FUP rules.

Let’s divide it into parts:

1. Configure EdgeRouter pppoe server with Radius
2. Configure EdgeRouter pppoe server for incoming radius packets
3. Add EdgeRouter to Splynx
4. Connect PPPoE customer and check that everything is working fine
5. Install other usefull tools to Edgerouter

1. Configure EdgeRouter Pppoe Server with Radius support

The first step is to upgrade the system to at least the 1.5 version and higher, because support of Radius attributes was added in this version to EdgeOS. The version we describe here is EdgeOS v1.8.5
Upgrade can be achieved in CLI with commands :
add system image http://dl.ubnt.com/...
add system image new-version-1085.tar

Second step – we need to define the IP address for communication between Radius and EdgeRouter.
In my case it’s 10.0.1.166, set it up as the main IP of EdgeRouter with a command (in configure mode):

set system ip override-hostname-ip 10.0.1.166

Then I setup the PPPoE server with mandatory settings:

edit service pppoe-server
set authentication mode radius
set authentication radius-server 10.10.10.65 key 12345
set client-ip-pool start 10.5.50.2
set client-ip-pool stop 10.5.50.200
set interface eth2

Radius configuration can also be done in web browser:

Edge_Radius

2. Configure EdgeRouter PPPoE incoming packets

This is an important part because we need to change plans, disconnect customers or apply FUP rules. In all these cases Splynx Radius sends packets to Edge Router.
Default port is of UBNT is 3779. To enable incoming packet processing run these command on EdgeOS:

sudo cp /opt/vyatta/etc/pppoe-server/start-pppoe-radius-disconnect /config/scripts/post-config.d/

and reboot the router.

to debug, if packets are received use file pppoe-radius-disconnect.log:

tail /var/log/pppoe-radius-disconnect.log

example of output when packet disconnect was received by EdgeOS:

tail

3. Add EdgeRouter to Splynx and set up settings in Splynx

Just add a router to Splynx in Networking -> Routers and choose the NAS Type Ubiquiti

U1

You can add additional attributes to the configuration of NAS Type under Config -> Networking -> Radius.
By default we support radius-rate-limit attributes to setup speeds of PPPoE tunnels.

U2
4. Connect PPPoE customer and check that everything is working fine

Now we can connect the PPPoE user to EdgeRouter and check that everything went fine.
With the „show pppoe-server“ command we can see how many users are connected to the PPPoE server.

Show_pppoe

In Splynx we can see whether a customer is online and get his stats.

Online

When we click the disconnect button, the customer should dissapear from the online list and reconnect with a new session, which means that EdgeRouter accepted the incoming packet from Splynx Radius server.

5. Install other usefull tools to EdgeRouter

PPPoE client tunnels are dynamically created and are not shown in the web dashboard. We need to get statistics of customer throughput, and a simple way to do it is to install the software bwm-ng. It’s located in the Debian repository, which means we need to add new repositories first and then install bwm-ng.
Add new repositories :

configure
set system package repository wheezy components 'main contrib non-free'
set system package repository wheezy distribution wheezy
set system package repository wheezy url http://http.us.debian.org/debian
set system package repository wheezy-security components main
set system package repository wheezy-security distribution wheezy/updates
set system package repository wheezy-security url http://security.debian.org
commit
save
exit

and install the tool

apt-get install bwm-ng

Now you can run bwm-ng -u bits to get the actual Kbps throughput of pppoe clients
Example of output of bwm-ng is in picture below:

BWM-NG

Now you can configure Splynx Radius server with UBNT EdgeRouter and benefit from a fast router that delivers 1 million packets per second routing performance in a compact and affordable unit!

If you face any difficulties, use our forum – https://splynx.com/forums/ or submit us a ticket – https://splynx.com/my-tickets/

UBNT AirOS wireless Radius authentication

Ubiquiti access points have the ability to authenticate radius via Radius server. This means the admin doesn’t have to maintain local passwords for wireless authentication, each CPE/radio can have its own account in the Splynx ISP Framework and our Radius server will authenticate UBNT CPEs.

Usually ISP already has a PPPoE or similar authentication mechanism, which is why wireless Radius authentication is added in Splynx to existing customers as one new (empty) service.

In the first step we define a Plan in Splynx with 0 price and 0 in all other fields.

2016-07-07 04.09.07 pm

Then, we should add a wireless service to the customer and enter his login and password.

New_service

It is also important to add AP to splynx.

U_router

In the last step we should enable Wireless Radius authentication EAP on the UBNT router and setup a Radius server IP address and secret.

UBNT_wireless

Now we can connect a UBNT radio CPE to a UBNT Access Point

U_CPE

Smart bandwidth management – FUP module

Many ISPs use a Fair User Policy (FUP). This means if a customer downloads or uploads more than a certain amount of data, his speed is reduced. We’ve moved this idea on to a different level and made it as configurable as it can be. Splynx is also very powerful RADIUS server, please check this out here.

In the Splynx ISP Framework we have smart bandwidth management. You can define customer speed based on the amount of traffic consumed per month, per week, or even per day. You can also set up maximum online time in hours per customer.

Do you want to give your users double speed at night, dounlimited traffic on the weekends, or set up a speed limit for downloaders who exceed the daily download limit? Do it with Splynx right now!

PlansFUP settings are located in Plan under the arrow button

Let’s create an example. We have a 5 Mbps download and upload plan. I’ve decided there will be unlimited traffic for customers on weekends and they will get 7 Mbps on Saturdays and Sundays. The first rules have been created below. The first rule is “Unlimited traffic on weekends”:

Don't count weekends

Increased speed from 5 Mbps to 40% more on Saturdays and Sundays:

7Mb on weekends

Then we can check what rule will be applied on Saturday:

2016-04-01 08.38.44 pm

 

The next step is to set up a rule for downloaders with transfers of 10GB per day – I will reduce their speed to 2 Mbps after they reach 10 GB in one day.

high_download

I’ll set up a total Monthly usage limit of 100 GB; after  this limit is reached, we will give the user 1 Mbps. When the user reaches 110 GB, we will block him and charge additional data.

Total

As you can see in the last picture, we have created a full comprehensive policy for bandwidth management for a 5 Mbps plan. You can use our FUP builder and create your own rules! Speed limitation is done via Radius using CoA attributes on any supporting equipment or via Mikrotik API on RouterOS.

Manage your whole network ! Radius server + MikroTik API in Splynx

The core of the Splynx ISP Framework covers two important areas of ISP network management – AAA and bandwidth management. Radius server is used for these technologies : PPPoE, IPoE, DHCP, Hotspot, Static IPs. Mikrotik API can be used for advanced bandwidth management.

1. AAA. 

Authentication, authorization and customer accounting in an ISP network. Splynx has its own stable and scalable Radius server which helps you manage connections, hotspots, redirections, blocking of non-payers and admin access to equipment. More information about AAA in Splynx can be found in the following article: https://splynx.com/3186/splynx-radius-server/

2. Speed limitation and queues. 

Mikrotik RouterOS has a smart system of Queue Trees which can be used for contention purposes, limitation of speed and time-based access.
When you have hundreds or thousands of customers, you should create and maintain many different rules – one rule per customer + setup parent Queues for contentions!  

You can manage all Mikrotik queues centrally from Splynx. You can also upload local authentication rules, such as DHCP bindings, PPPoE users, Firewall entries or Wireless Access List using Mikrotik API. Authentication can be combined with the Radius server. At the same time Splynx supports Radius and Mikrotik API.

We provide a way to divide where authentication is created and where queues are set up. This is used widely in Wireless ISP networks, because authentication is made in the AP closest to the customer, but queues are created in a central point or several central points. Another important feature is its ability to have same queuing rules on different routers in mirroring mode.

Let’s imagine a situation when we are authenticating users in each AP with Radius DHCP and creating queues in our main location via the Internet. But then, we get a second uplink in different location. There is an obvious need for queues in the second Uplink location too, because customers can be routed to both of these routers, it depends on the internal routing protocol. That is shown in the example below:

API-example

Splynx has a solution for setup with Mikrotik routers. As we described above, Splynx can authenticate users in one router, create queues in a second router and mirror them to a third router. This is achieved thanks to a flexible and stable API Framework internal infrastructure.

In the video manual below we describe advanced features and setup of MikroTik API and Radius in the Splynx ISP Framework.

IP address management

IP addresses are used in every corporate or ISP network. They‘re an essential component of the whole networking. There are several ways to manage IP address assignments. Many administrators, even in large companies, are still using Excel sheets due to a lack of smart IP address management tools. We recommend our engine for IP address management. This module is connected to the customer database in Splynx. When IP address or subnet is assigned to a customer for his access, the IPs will be assigned in the IP address management tab as well. The main advantage of this is avoiding IP conflicts, when several customers get the same IP or an IP with the wrong range. Also you can always have an overview of the current situation with subnets.

Our video and screenshots below show a few steps for making this feature work:

 

1. Create a root network – create a larger network and add subnetworks to it. The root network is marked with yellow color.

 

ipman1

 

IP addresses inside the selected subnetwork are shown in the table:

 

2016-01-26 10.43.12 pm

 

 

2. You can  statically define what a certain IP address is used for in the tool itself. When you assign IP address to the customer, it’s locked in the IP address management tool, and if you try to assign an IP that is already in use, the system will prevent it.

 

2016-01-26 10.46.05 pm

 

3. As an extra feature you can send a Mass ping to devices in the selected network, split the network into smaller subnets or merge the network into large one. You can switch to a graphical map view with icons to get quick information. All red icons mean that the IP address is not responding on Mass ping.

2016-01-26 10.43.28 pm

You can find a detailed explanation of IP address management in our video tutorial:

You can customize colors and types of devices, as well as add new types of equipment. Screenshot shows an example of how to visualize small networks /29,/28 etc. in one common /24 network

IPAM customization

Second video tutorial shows, how to customize IP address management module, and add more colors to it:


Should you have any questions regarding the IP address management or further information is needed, please contact us or schedule a call with our engineer.