Splynx Radius server

Splynx ISP framework consists of different sub-systems. One of the main and most important parts of the framework is Splynx Radius server. PPPoE, DHCP, IPoE, Hotspot, Wireless or Static IP/MAC authentication. Splynx solution also provides smart bandwidth management, billing other useful features.

Splynx Radius server is used to perform AAA tasks.
Authentication – Networking equipment perform check over Radius server if login/password of connecting device or user is correct. If it matches with an entry in Radius server, device or user is able to access the equipment or get the service.
Authorization – defines which actions are allowed for user or device and it’s privilege level.
Accounting – statistics of the usage of Internet or information about what was done on equipment.

1. Administrative AAA.
Authentication: With Splynx you can setup that when administrator accesses equipment, his credentials will be checked over Radius server database.
If his username/password is correct, he will be able to login to equipment. If not, he will not get access. This is very convenient approach comparing to local login.
Imagine when you hire a new administrator and you need to update hundreds of routers, APs and switches to create him local login everywhere.
Or you can give him one common login/password, but when a person leaves the company, you should change that credentials everywhere.
Better is to connect all networking devices to Radius server and verify administrator login using Radius protocol.
Authorization: means that different levels of access can be implemented. Some administrators can change the configurations, some can only view and read config.
Accounting: Splynx stores information of when the network unit was accessed by an administrator and what was done there.

Below are tutorials showing how to configure admin login using Radius Splynx server on different platforms :

Mikrotik: Radius admin login to Mikrotik routers

Administrative login to Cisco devices

2. Customer’s AAA.
Splynx Radius server supports different ways of customers’ central authentication in the network of Internet provider. It always depends on the topology of an ISP and technology that he decides to use. Access technologies are widely used and their advantages and disadvantages are described below:

PPPoE – easy to maintain and implement. Customer on CPE device setups username and password and all networking settings CPE receives from PPPoE NAS (Network Access Server). Also provides encryption if needed and accounting for getting statistics of usage. Had issues with MTU in the past, but in last years these issues were fixed by main vendors.

IPoE (or DHCP) – DHCP is based on MAC address of the client. Also can be linked to the port of switch were a customer is connected (DHCP option 82). In several vendors don’t provide accounting capability (Mikrotik routers).

Wireless Authentication – when ISP has a wireless network, he needs to maintain access of CPE devices to his Access Points. For this purpose, several wireless authentication methods are used, such as a password inside TDMA protocols or wireless access-lists.

Hotspot – customer has to enter his username and password on the webpage before using the Internet. Many hotspot networks allow free limited access and then charge customers for additional usage or advanced plans.

Static IP addressing – some ISPs don’t have central management of authentication and setup static IP addresses to CPE devices. With Mikrotik RouterOS platform Splynx can manage even customers who’s got static IPs in Vlan per customer or plain IPv4 connection. Also Splynx can grab statistics from Mikrotik routers for such customers.

Below are manuals for different types of user authentication in Splynx ISP Framework :

Mikrotik: DHCP using Radius

Mikrotik: PPPoE and other PPP tunnels using Radius

Mikrotik: Hotstpot with Radius

Mikrotik: Static IP addressing with API authentication/accounting

Mikrotik: Local DHCP with Mikrotik API

Ubiquiti: Wireless authentication with Radius

Ubiquiti: PPPoE authentication on Edge Routers


Should you have any questions regarding Splynx RADIUS server or further information is needed, please contact us or schedule a call with our engineer.

Splynx Radius configuration and troubleshooting

This is a post showing how to troubleshoot communication between router (Mikrotik example) and Radius.

Video tutorial for Radius configuration can be found here – https://splynx.com/384/ispframework-and-radius-mikrotik-example/. Below are steps for Radius and Splynx configuration:

Step 1. Mikrotik Radius section
To configure Mikrotik router and Radius authentication, we should change the settings in Mikrotik Radius section.
1) Choose services, that have to be authenticated by Radius (ppp, DHCP, login etc.)
2) Enter IP address = Splynx IP address, reachable from Mikrotik
3) Secret = this value is located at Splynx -> Router -> Edit -> Radius secret

mikrotik_router_radius

4) We cannot use more than one Radius server per Service

router_radius

Step 2. MikroTik PPP (in case when PPPoE is used)
1) Enable on Secrets -> PPP Authentication & Accounting features “Use radius (yes), Accounting (yes)”

ppp_authentication

2) Set Profile – default or default-encrypted, set Local address (it’s IP of Mikrotik router for establishing PPP connections)

ppp_local_address

Step 2. MikroTik DHCP
If we use IPoE authentication (DHCP), we should enable Radius communication on DHCP server.

radius_dhcp

Step 2. MikroTik Hotspot
For enabling Radius hotspot authentication, please, change the Hotspot configuration of Mikrotik under IP -> Hotspot as shown below:

radius_hotspot

When we enable services for Radius authentication, we can move forward and configure router in Splynx.

Step 3. Splynx router configuration
Splynx -> Networking -> Routers, here you can edit or change router settings. Important fields to fill are :
1) Radius Secret should be same as in Mikrotik settings
2) IP/Host –  the real IP (or host, or dyndns host) from which Mikrotik sends packets. In case when NAT is between Mikrotik and Splynx Radius, host IP will be public IP of NAT router and real IP will be private IP of Mikrotik router.
3) Authorization/Accounting – please set DHCP/PPP/HotSpot Radius. Even if you choose PPP, DHCP and Hotspot authentication will work as well. The difference is in DHCP Radius, here you can find accounting API. It means that for getting statistics from DHCP server, Splynx should connect to API of Mikrotik. This is caused by unsupported Radius accounting packets on Mikrotik routers.
4) NAS IP – IP address of router (on radius packet – NAS-IP-Address), in case when you use hostname of router you need to set this IP. (you can set this ip on Mikrotik  – Radius – Src. Address)

radius_settings

Step 4. Define IP networks for IP assignments
Splynx -> Networking -> IPv4 networks
1) Add some network for dynamic assignment (pool) or permanent (static) usage

networks

Step 5. Activate customer and set the Internet service
When we have added router and networks to Splynx, it’s the right time to add a customer and activate him

active

Then, we need to create an Internet service for the customer with PPP details (or MAC in case of DHCP authentication), IP address and other details.

service

If all these steps were made and still Mikrotik router shows Radius timeout in log, then, we need to make a quick troubleshooting.

Troubleshooting
First of all, check the file in Splynx logs called radius/short. It can be found in section Splynx -> Administration -> Logs -> Files. If this file is empty, Radius server should be set to debug mode.

Splynx Radius server consist of 2 daemons – splynx_radd and freeradius. Both of them have different debugging and show different information. Let’s start with splynx_radd debugging :

To enable debug mode of Splynx, connect via SSH to Splynx server and change the configuration file: /var/www/splynx/config/radius.php
[debug] section enable should be changed to – “true

To restart Radius server, enter command in SSH : service splynx_radd restart

Now we can check the debug file, again it’s accessible from CLI of Linux Splynx server:
/var/www/splynx/logs/radius/debug.log
The best way to check the file is command tail -f /var/www/splynx/logs/radius/debug.log

If splynx_radd debug doesn’t show us anything, we can try to run freeradius daemon in debug mode and see if any packets are received by Radius server.

Run CLI commands :
service freeradius stop
freeradius -Xxxx

and check the CLI console output.

If you don’t see any debug messages when customer tries to connect to Mikrotik Router, it means that your router cannot send packets and connect to Radius server at all. It means that you have to verify networking, routing and NAT settings of the network.

On Mikrotik Router there is also availability to run extended debug to see what exactly router is sending to Radius server :

debug_router

Ubiquiti EdgeRouters pppoe Radius support

UBNT EdgeRouters can act as a PPPoE server, with authentication of CPEs, providing statistics, blocking end users, and setting up speed limits and FUP rules.

Let’s divide it into parts:

1. Configure EdgeRouter pppoe server with Radius
2. Configure EdgeRouter pppoe server for incoming radius packets
3. Add EdgeRouter to Splynx
4. Connect PPPoE customer and check that everything is working fine
5. Install other usefull tools to Edgerouter

1. Configure EdgeRouter Pppoe Server with Radius support

The first step is to upgrade the system to at least the 1.5 version and higher, because support of Radius attributes was added in this version to EdgeOS. The version we describe here is EdgeOS v1.8.5
Upgrade can be achieved in CLI with commands :
add system image http://dl.ubnt.com/...
add system image new-version-1085.tar

Second step – we need to define the IP address for communication between Radius and EdgeRouter.
In my case it’s 10.0.1.166, set it up as the main IP of EdgeRouter with a command (in configure mode):

set system ip override-hostname-ip 10.0.1.166

Then I setup the PPPoE server with mandatory settings:

edit service pppoe-server
set authentication mode radius
set authentication radius-server 10.10.10.65 key 12345
set client-ip-pool start 10.5.50.2
set client-ip-pool stop 10.5.50.200
set interface eth2

Radius configuration can also be done in web browser:

Edge_Radius

2. Configure EdgeRouter PPPoE incoming packets

This is an important part because we need to change plans, disconnect customers or apply FUP rules. In all these cases Splynx Radius sends packets to Edge Router.
Default port is of UBNT is 3779. To enable incoming packet processing run these command on EdgeOS:

sudo cp /opt/vyatta/etc/pppoe-server/start-pppoe-radius-disconnect /config/scripts/post-config.d/

and reboot the router.

to debug, if packets are received use file pppoe-radius-disconnect.log:

tail /var/log/pppoe-radius-disconnect.log

example of output when packet disconnect was received by EdgeOS:

tail

3. Add EdgeRouter to Splynx and set up settings in Splynx

Just add a router to Splynx in Networking -> Routers and choose the NAS Type Ubiquiti

U1

You can add additional attributes to the configuration of NAS Type under Config -> Networking -> Radius.
By default we support radius-rate-limit attributes to setup speeds of PPPoE tunnels.

U2
4. Connect PPPoE customer and check that everything is working fine

Now we can connect the PPPoE user to EdgeRouter and check that everything went fine.
With the „show pppoe-server“ command we can see how many users are connected to the PPPoE server.

Show_pppoe

In Splynx we can see whether a customer is online and get his stats.

Online

When we click the disconnect button, the customer should dissapear from the online list and reconnect with a new session, which means that EdgeRouter accepted the incoming packet from Splynx Radius server.

5. Install other usefull tools to EdgeRouter

PPPoE client tunnels are dynamically created and are not shown in the web dashboard. We need to get statistics of customer throughput, and a simple way to do it is to install the software bwm-ng. It’s located in the Debian repository, which means we need to add new repositories first and then install bwm-ng.
Add new repositories :

configure
set system package repository wheezy components 'main contrib non-free'
set system package repository wheezy distribution wheezy
set system package repository wheezy url http://http.us.debian.org/debian
set system package repository wheezy-security components main
set system package repository wheezy-security distribution wheezy/updates
set system package repository wheezy-security url http://security.debian.org
commit
save
exit

and install the tool

apt-get install bwm-ng

Now you can run bwm-ng -u bits to get the actual Kbps throughput of pppoe clients
Example of output of bwm-ng is in picture below:

BWM-NG

Now you can configure Splynx Radius server with UBNT EdgeRouter and benefit from a fast router that delivers 1 million packets per second routing performance in a compact and affordable unit!

If you face any difficulties, use our forum – https://splynx.com/forums/ or submit us a ticket – https://splynx.com/my-tickets/

Manage your whole network ! Radius server + MikroTik API in Splynx

The core of the Splynx ISP Framework covers two important areas of ISP network management – AAA and bandwidth management. Radius server is used for these technologies : PPPoE, IPoE, DHCP, Hotspot, Static IPs. Mikrotik API can be used for advanced bandwidth management.

1. AAA. 

Authentication, authorization and customer accounting in an ISP network. Splynx has its own stable and scalable Radius server which helps you manage connections, hotspots, redirections, blocking of non-payers and admin access to equipment. More information about AAA in Splynx can be found in the following article: https://splynx.com/3186/splynx-radius-server/

2. Speed limitation and queues. 

Mikrotik RouterOS has a smart system of Queue Trees which can be used for contention purposes, limitation of speed and time-based access.
When you have hundreds or thousands of customers, you should create and maintain many different rules – one rule per customer + setup parent Queues for contentions!  

You can manage all Mikrotik queues centrally from Splynx. You can also upload local authentication rules, such as DHCP bindings, PPPoE users, Firewall entries or Wireless Access List using Mikrotik API. Authentication can be combined with the Radius server. At the same time Splynx supports Radius and Mikrotik API.

We provide a way to divide where authentication is created and where queues are set up. This is used widely in Wireless ISP networks, because authentication is made in the AP closest to the customer, but queues are created in a central point or several central points. Another important feature is its ability to have same queuing rules on different routers in mirroring mode.

Let’s imagine a situation when we are authenticating users in each AP with Radius DHCP and creating queues in our main location via the Internet. But then, we get a second uplink in different location. There is an obvious need for queues in the second Uplink location too, because customers can be routed to both of these routers, it depends on the internal routing protocol. That is shown in the example below:

API-example

Splynx has a solution for setup with Mikrotik routers. As we described above, Splynx can authenticate users in one router, create queues in a second router and mirror them to a third router. This is achieved thanks to a flexible and stable API Framework internal infrastructure.

In the video manual below we describe advanced features and setup of MikroTik API and Radius in the Splynx ISP Framework.