Juniper Radius server configuration, updated

This is an updated version of Radius server configuration with Juniper using variables for speed limitations.

1. Number one settings and few general comments
The first and most important step before any configuration is made, use the command
set system dynamic-profile-options versioning
If this is not set, then new profiles will not be used, because JunOS will say that old settings are still active.

general comments to the configuration are :
a. Don’t use the same name for definition of different profiles – we should have one for access(Radius), one is for PPPoE template, one is for speed limits and one for applying an interface and one more if QinQ is used. This will help to split configuration in parts and have order in it.
b. Don’t use the same Download and Upload speeds, sometimes Juniper ignores speed limits with no reason. (So for example if you have 10M/10M plan, set 10M download and 9.99M upload)

2. Radius server definition in access profile RAD
set access profile RAD authentication-order radius
set access profile RAD domain-name-server 8.8.4.4
set access profile RAD domain-name-server 8.8.8.8
set access profile RAD radius authentication-server 172.16.0.35
set access profile RAD radius accounting-server 172.16.0.35
set access profile RAD radius options nas-identifier JUN
set access profile RAD radius options accounting-session-id-format decimal
set access profile RAD radius-server 172.16.0.35 secret set access profile RAD radius-server 172.16.0.35 timeout 5
set access profile RAD accounting order radius
set access profile RAD accounting immediate-update
set access profile RAD accounting coa-immediate-update
set access profile RAD accounting update-interval 10
set access profile RAD accounting statistics volume-time

3. Dynamic PPPOE for setting up the pppoe virtual interface template
set dynamic-profiles PPPoE routing-instances "$junos-routing-instance" interface "$junos-interface-name"
set dynamic-profiles PPPoE interfaces pp0 unit "$junos-interface-unit" no-traps
set dynamic-profiles PPPoE interfaces pp0 unit "$junos-interface-unit" ppp-options chap
set dynamic-profiles PPPoE interfaces pp0 unit "$junos-interface-unit" pppoe-options underlying-interface "$junos-underlying-interface"
set dynamic-profiles PPPoE interfaces pp0 unit "$junos-interface-unit" pppoe-options server
set dynamic-profiles PPPoE interfaces pp0 unit "$junos-interface-unit" keepalives interval 30
set dynamic-profiles PPPoE interfaces pp0 unit "$junos-interface-unit" family inet unnumbered-address "$junos-loopback-interface"

4. Speed limitation profile that differs from PPPOE and is called svc-inet-profile, please don’t mix the names !
set dynamic-profiles svc-inet-profile variables var-bw-upload
set dynamic-profiles svc-inet-profile variables var-bw-download
set dynamic-profiles svc-inet-profile variables var-ff-in-upload equals "'INET-' ## $var-bw-upload ## '-CLIENT-UPLOAD'"
set dynamic-profiles svc-inet-profile variables var-ff-in-upload uid
set dynamic-profiles svc-inet-profile variables var-ff-out-download equals "'INET-' ## $var-bw-download ## '-CLIENT-DOWNLOAD'"
set dynamic-profiles svc-inet-profile variables var-ff-out-download uid
set dynamic-profiles svc-inet-profile variables var-plr-upload equals "'plr-' ## $var-bw-upload"
set dynamic-profiles svc-inet-profile variables var-plr-upload uid
set dynamic-profiles svc-inet-profile variables var-plr-download equals "'plr-' ## $var-bw-download"
set dynamic-profiles svc-inet-profile variables var-plr-download uid
set dynamic-profiles svc-inet-profile interfaces pp0 unit "$junos-interface-unit" family inet filter input "$var-ff-out-download"
set dynamic-profiles svc-inet-profile interfaces pp0 unit "$junos-interface-unit" family inet filter input precedence 100
set dynamic-profiles svc-inet-profile interfaces pp0 unit "$junos-interface-unit" family inet filter output "$var-ff-in-upload"
set dynamic-profiles svc-inet-profile interfaces pp0 unit "$junos-interface-unit" family inet filter output precedence 100
set dynamic-profiles svc-inet-profile firewall family inet filter "$var-ff-in-upload" interface-specific
set dynamic-profiles svc-inet-profile firewall family inet filter "$var-ff-in-upload" term policer then policer "$var-plr-upload"
set dynamic-profiles svc-inet-profile firewall family inet filter "$var-ff-in-upload" term policer then service-accounting
set dynamic-profiles svc-inet-profile firewall family inet filter "$var-ff-in-upload" term policer then service-filter-hit
set dynamic-profiles svc-inet-profile firewall family inet filter "$var-ff-in-upload" term policer then accept
set dynamic-profiles svc-inet-profile firewall family inet filter "$var-ff-in-upload" term service from service-filter-hit
set dynamic-profiles svc-inet-profile firewall family inet filter "$var-ff-in-upload" term service then accept
set dynamic-profiles svc-inet-profile firewall family inet filter "$var-ff-out-download" interface-specific
set dynamic-profiles svc-inet-profile firewall family inet filter "$var-ff-out-download" term policer then policer "$var-plr-download"
set dynamic-profiles svc-inet-profile firewall family inet filter "$var-ff-out-download" term policer then service-accounting
set dynamic-profiles svc-inet-profile firewall family inet filter "$var-ff-out-download" term policer then service-filter-hit
set dynamic-profiles svc-inet-profile firewall family inet filter "$var-ff-out-download" term policer then accept
set dynamic-profiles svc-inet-profile firewall family inet filter "$var-ff-out-download" term service from service-filter-hit
set dynamic-profiles svc-inet-profile firewall family inet filter "$var-ff-out-download" term service then accept
set dynamic-profiles svc-inet-profile firewall policer "$var-plr-download" logical-interface-policer
set dynamic-profiles svc-inet-profile firewall policer "$var-plr-download" if-exceeding bandwidth-limit "$var-bw-download"
set dynamic-profiles svc-inet-profile firewall policer "$var-plr-download" if-exceeding burst-size-limit 1m
set dynamic-profiles svc-inet-profile firewall policer "$var-plr-download" then discard
set dynamic-profiles svc-inet-profile firewall policer "$var-plr-upload" logical-interface-policer
set dynamic-profiles svc-inet-profile firewall policer "$var-plr-upload" if-exceeding bandwidth-limit "$var-bw-upload"
set dynamic-profiles svc-inet-profile firewall policer "$var-plr-upload" if-exceeding burst-size-limit 1m
set dynamic-profiles svc-inet-profile firewall policer "$var-plr-upload" then discard

5. VLAN profile that is used then to set up PPPoE server on the VLAN interface
set dynamic-profiles VLAN interfaces demux0 unit "$junos-interface-unit" vlan-id "$junos-vlan-id"
set dynamic-profiles VLAN interfaces demux0 unit "$junos-interface-unit" demux-options underlying-interface "$junos-underlying-interface"
set dynamic-profiles VLAN interfaces demux0 unit "$junos-interface-unit" family inet unnumbered-address lo0.0
set dynamic-profiles VLAN interfaces demux0 unit "$junos-interface-unit" family pppoe access-concentrator JUN
set dynamic-profiles VLAN interfaces demux0 unit "$junos-interface-unit" family pppoe dynamic-profile PPPoE

6. and then this is how to apply PPPOE to the VLAN physically

ae0 {
flexible-vlan-tagging;
auto-configure {
vlan-ranges {
dynamic-profile VLAN {
accept pppoe;
ranges {
any;
}
}
}
remove-when-no-subscribers;
}

7. Radius attribute should be this one with selection of Speed Limitation profile :
ERX-Service-Activate:1 = SERVICE({{ rx_rate_limit/1024/1000}}M,{{ tx_rate_limit/1024/1000}}M)

Please note that “M” was added to send the data from Splynx to Juniper in Megabits. Juniper accepts the speeds such as 1M, 2M, 20M and similar, so please be sure that the variable in the attribute will return you desired number.

Huawei NE (NetEngine) router Radius configuration

Hello, in this article we will tackle the configuration of Huawei NE20 and Huawei NE40 router with the Radius server. We will be using Splynx Radius server to authenticate PPPoE customers that are connecting to Huawei BRAS.

Here is the OS version of HUAWEI NE20E- where tests have been made :
display version

Huawei Versatile Routing Platform Software
VRP (R) software, Version 8.120 (NE20E)
Copyright (C) 2012-2017 Huawei Technologies Co., Ltd.

First of all, the Radius server data should be configured. 10.0.0.1 is the IP address of the Radius server and 12345 is a secret.

radius-server group splynx
radius-server shared-key-cipher 12345
radius-server authentication 10.0.0.1 1812 weight 0
radius-server accounting 10.0.0.1 1813 weight 0
undo radius-server user-name domain-included
radius-attribute hw-user-password simple coa-request

authentication-scheme radius
accounting-scheme radius
accounting interim interval 3

When this is configured, we can set up domain – settings that will be used for customer’s authentication. We can define a Pool of IP addresses, that Huawei will assign to users, or the IPs can be assigned to end-user sessions by Splynx Radius server.

domain pppoe
authentication-scheme radius
accounting-scheme radius
radius-server group splynx
ip-pool my_pool

And if we use the pool my_pool, then it’s needed to define a pool. It’s configured under the NAT section together with IP addresses that will be used as public IPs for NAT/PAT translations :

nat instance my_nat id 1
nat address-group address group-id 1 109.205.245.1 109.205.245.10
ip pool my_pool bas local
gateway 192.168.0.1 255.255.255.0
section 0 192.168.0.10 172.16.200.100
dns-server 8.8.8.8

Then we add the “bas” settings – activate PPPoE server on physical interface or VLAN.

interface GigabitEthernet0/0/0.50
user-vlan 50
bas

All commands were entered under the mode and confirmed by “commit” to save to the configuration.

When all these settings are done, the next step is to configure the Radius server. Few steps are needed for it :
1. Inside Splynx Configuration, please add a new NAS type Huawei.
2. Edit the configuration of the Radius under Networking and load Huawei settings.
3. Set several values in the configuration :

Allow with no account balance – to allow customers with a negative balance to be authenticated. Actually, it is any customer that has an invoice that was not paid, that’s why it is better to have it always enabled.

Inverse accounting – Huawei considers customer’s PPPoE session as an interface, so Download for customers is Upload for Huawei OS.

The same thing is applied for the definition of speed limits, where you can see that Input-Peak takes the variable “tx_rate_limit” from Splynx’s tariff plan.

There are two basic attributes to set up speed limitation of the customer PPPoE sessions :

  • Huawei-Input-Peak-Rate = {{ tx_rate_limit}}
  • Huawei-Output-Peak-Rate = {{ rx_rate_limit }}

Two more Radius attributes can be used to define bursts.

  • Huawei-Input-Burst-Size
  • Huawei-Output-Burst-Size

All these attributes mentioned above are standard attributes supported by dictionary.huawei that is located at /usr/share/freeradius folder of the Splynx Radius server.

Below is the example of adding a new NAS to Splynx and setting its parameters

When a PPPoE customer is connected, we should check his configuration on our Huawei router using a command display access-user domain pppoe verbose

The output on CLI should be similar to what is shown below, with an important part of ACL, that says that speed limits have been applied

Basic:
State : Used
User name : splynx-test
Domain name : pppoe
User backup state : No
User access interface : GigabitEthernet0/0/0.50
User access PeVlan/CeVlan : 50/-
User access slot : 0
User MAC : abcd-1234-9876
User IP address : 192.168.0.95
User IP netmask : 255.255.255.255
User gateway address : 192.168.0.1

ACL&QoS:
Inbound qos configuration : User-CAR
Inbound cir : 0(kbps)
Inbound pir : 512(kbps)(Radius)
Inbound cbs : 0(bytes)
Inbound pbs : 95744(bytes)
Outbound qos configuration : User-queue
Outbound cir : 0(kbps)
Outbound pir : 1024(kbps)(Radius)

It will be also useful to check the related guide about Huawei GPON configuration in Splynx.

Mikrotik IPv6 configuration

In this topic, it is described how to configure Mikrotik router to act as PPPoE server with IPv6 enabled. The configuration of IPv6 in general is described in article – https://splynx.com/5665/splynx-ipv6-support/ and IPv6 Home routers configuration you can find here – https://splynx.com/5747/ipv6-cpe-and-home-routers-support/

The first tests were started with ROUTER OS Version 6.42.6, however, unfortunately, version prior to 6.43 doesn’t support Radius Delegated IPv6 attribute at all, in 6.43 it doesn’t support DHCPv6 accounting, so please upgrade at least to 6.46.1 or later RouterOS version.

When the router is upgraded, we can work on PPPoE server configuration.

As the first step, Mikrotik PPPoE server with Radius authentication should be created. Below is the screenshot of PPPoE server configuration on RouterOS.

Please note, that IPv6 pool should be selected and this is important. It is an IPv6 network that we use on PPPoE server. Customers should receive IPv6 delegated prefixes from this pool. At the moment (version 6.46 of Mikrotik), Radius server is not able to assign Delegated-IPv6 network to the PPPoE customer.
That’s why it’s needed to define the pool in IPv6 pool and then, when the customer is online, Splynx grabs used IPv6 network from Radius accounting packets and stores information in own database.

Below is a link to petition that asks Mikrotik to support Delegated-IPv6-Prefix correctly.
Currently, the attribute can be sent from Radius to Mikrotik PPPoE server in the Access accept message, but it is ignored by the router.
In case, when IPv6 prefix is delegated by the IP pool inside Mikrotik PPPoE settings, then attribute Delegated-IPv6-Prefix is sent back to Radius in Accounting packets, informing that customer got certain IPv6 delegated pool.

https://www.change.org/p/wisp-the-implementation-of-radius-delegated-ipv6-prefix-for-mikrotik-pppoe-servers

Unfortunately, there is no way to assign public IPv6 to WAN PPPoE interface of the customer via Radius server. Lack of this feature is not that crucial, because PPPoE works well on local link addresses, but we think that it should be also available on Mikrotik Radius implementation.

Regarding Splynx configuration – the Internet service of customer should be configured with empty IPv6 and Delegated IPv6 fields. The IPv6 appears in online session of customers and is stored to the logs and statistics. Radius based simple queues are applied to the pppoe tunnel and there is no additional queue needed for IPv6 traffic. Below is a screenshot of such sessions

 

 

Another option how to check IPv6 prefixes that were assigned to CPE devices – check the DHCPv6 server leases in Mikrotik.
Below is an example of DHCPv6 active leases

Next question is – how to block IPv6 traffic? Usually, IPv4 traffic is blocked when customer’s IP address is put to the address list and traffic is redirected. The other option is to assign to customer the IP address from special pool for blocked subscribers. This configuration cannot be achieved with IPv6, because currently Radius cannot assign the special pool or manipulate anyhow with IPv6 of the end user.

The only possible option is to have several Profiles configured in Mikrotik PPPoE server. Profile can be sent from Radius to Mikrotik PPPoE router via attribute Mikrotik-Group. Here is a description of the attribute from Mikrotik website :
Mikrotik-Group – Router local user group name (defines in /user group) for local users; HotSpot default profile for HotSpot users; PPP default profile name for PPP users.

In this case, we will define two profiles – default and block, with two different IPv6 pools. Default profile is used for authenticated users and block profile we assign to locked or non-authenticated customers.
These two profiles should be defined in Splynx Radius blocking attributes, please follow the screenshot below.

Second option how to block customers, is to use Mikrotik-Delegated-IPv6-Pool attribute, instead of choosing and configuring the different profiles, it’s possible to set name of Pool that should be used for blocked customer. For example, customer that is active will get IP from pool “default” and in case of blocking – he will get IPv6 from pool “blocked”

 

Mikrotik as CPE or home router with IPv6
Mikrotik can act as a home router or CPE with IPv6 support enabled. First of all, we need to activate IPv6 package that is always disabled by default.

Let’s imagine that we have one WAN interface with pppoe-client and Bridge configured for LAN interfaces.
After the activation of pppoe interface and setting user/password there, we should enable DHCPv6 client on pppoe-client interface. DHCPv6 client should receive the delegated prefix from PPPoE router (yes, it sounds weird, but there is a DHCP client running over PPPOE client for IPv6, because natively there is no way to provide to home router delegated prefix).
Please don’t forget to configure the pool name and then create IP address assignment with SLAAC on LAN interface. Better is just to copy and paste configuration shown on the screenshot below 🙂

 

Should you have any questions related to IPv6 configuration or you want to try Splynx in action, feel free to contact us.

Splynx Radius server

Splynx ISP framework consists of different sub-systems. One of the main and most important parts of the framework is Splynx Radius server. PPPoE, DHCP, IPoE, Hotspot, Wireless or Static IP/MAC authentication. Splynx solution also provides smart bandwidth management, billing other useful features.

Splynx Radius server is used to perform AAA tasks.
Authentication – Networking equipment perform check over Radius server if login/password of connecting device or user is correct. If it matches with an entry in Radius server, device or user is able to access the equipment or get the service.
Authorization – defines which actions are allowed for user or device and it’s privilege level.
Accounting – statistics of the usage of Internet or information about what was done on equipment.

1. Administrative AAA.
Authentication: With Splynx you can setup that when administrator accesses equipment, his credentials will be checked over Radius server database.
If his username/password is correct, he will be able to login to equipment. If not, he will not get access. This is very convenient approach comparing to local login.
Imagine when you hire a new administrator and you need to update hundreds of routers, APs and switches to create him local login everywhere.
Or you can give him one common login/password, but when a person leaves the company, you should change that credentials everywhere.
Better is to connect all networking devices to Radius server and verify administrator login using Radius protocol.
Authorization: means that different levels of access can be implemented. Some administrators can change the configurations, some can only view and read config.
Accounting: Splynx stores information of when the network unit was accessed by an administrator and what was done there.

Below are tutorials showing how to configure admin login using Radius Splynx server on different platforms :

Mikrotik: Radius admin login to Mikrotik routers

Administrative login to Cisco devices

2. Customer’s AAA.
Splynx Radius server supports different ways of customers’ central authentication in the network of Internet provider. It always depends on the topology of an ISP and technology that he decides to use. Access technologies are widely used and their advantages and disadvantages are described below:

PPPoE – easy to maintain and implement. Customer on CPE device setups username and password and all networking settings CPE receives from PPPoE NAS (Network Access Server). Also provides encryption if needed and accounting for getting statistics of usage. Had issues with MTU in the past, but in last years these issues were fixed by main vendors.

IPoE (or DHCP) – DHCP is based on MAC address of the client. Also can be linked to the port of switch were a customer is connected (DHCP option 82). In several vendors don’t provide accounting capability (Mikrotik routers).

Wireless Authentication – when ISP has a wireless network, he needs to maintain access of CPE devices to his Access Points. For this purpose, several wireless authentication methods are used, such as a password inside TDMA protocols or wireless access-lists.

Hotspot – customer has to enter his username and password on the webpage before using the Internet. Many hotspot networks allow free limited access and then charge customers for additional usage or advanced plans.

Static IP addressing – some ISPs don’t have central management of authentication and setup static IP addresses to CPE devices. With Mikrotik RouterOS platform Splynx can manage even customers who’s got static IPs in Vlan per customer or plain IPv4 connection. Also Splynx can grab statistics from Mikrotik routers for such customers.

Below are manuals for different types of user authentication in Splynx ISP Framework :

Mikrotik: DHCP using Radius

Mikrotik: PPPoE and other PPP tunnels using Radius

Mikrotik: Hotstpot with Radius

Mikrotik: Static IP addressing with API authentication/accounting

Mikrotik: Local DHCP with Mikrotik API

Ubiquiti: Wireless authentication with Radius

Ubiquiti: PPPoE authentication on Edge Routers

Cisco: PPPoE with Radius

Cambium: Wireless Authentication via Radius


Should you have any questions regarding Splynx RADIUS server or further information is needed, please contact us or schedule a call with our engineer.

Splynx Radius configuration and troubleshooting

This is a post showing how to troubleshoot communication between router (Mikrotik example) and Radius.

Video tutorial for Radius configuration can be found here – https://splynx.com/384/ispframework-and-radius-mikrotik-example/. Below are steps for Radius and Splynx configuration:

Step 1. Mikrotik Radius section
To configure Mikrotik router and Radius authentication, we should change the settings in Mikrotik Radius section.
1) Choose services, that have to be authenticated by Radius (ppp, DHCP, login etc.)
2) Enter IP address = Splynx IP address, reachable from Mikrotik
3) Secret = this value is located at Splynx -> Router -> Edit -> Radius secret

mikrotik_router_radius

4) We cannot use more than one Radius server per Service

router_radius

Step 2. MikroTik PPP (in case when PPPoE is used)
1) Enable on Secrets -> PPP Authentication & Accounting features “Use radius (yes), Accounting (yes)”

ppp_authentication

2) Set Profile – default or default-encrypted, set Local address (it’s IP of Mikrotik router for establishing PPP connections)

ppp_local_address

Step 2. MikroTik DHCP
If we use IPoE authentication (DHCP), we should enable Radius communication on DHCP server.

radius_dhcp

Step 2. MikroTik Hotspot
For enabling Radius hotspot authentication, please, change the Hotspot configuration of Mikrotik under IP -> Hotspot as shown below:

radius_hotspot

When we enable services for Radius authentication, we can move forward and configure router in Splynx.

Step 3. Splynx router configuration
Splynx -> Networking -> Routers, here you can edit or change router settings. Important fields to fill are :
1) Radius Secret should be same as in Mikrotik settings
2) IP/Host –  the real IP (or host, or dyndns host) from which Mikrotik sends packets. In case when NAT is between Mikrotik and Splynx Radius, host IP will be public IP of NAT router and real IP will be private IP of Mikrotik router.
3) Authorization/Accounting – please set DHCP/PPP/HotSpot Radius. Even if you choose PPP, DHCP and Hotspot authentication will work as well. The difference is in DHCP Radius, here you can find accounting API. It means that for getting statistics from DHCP server, Splynx should connect to API of Mikrotik. This is caused by unsupported Radius accounting packets on Mikrotik routers.
4) NAS IP – IP address of router (on radius packet – NAS-IP-Address), in case when you use hostname of router you need to set this IP. (you can set this ip on Mikrotik  – Radius – Src. Address)

radius_settings

Step 4. Define IP networks for IP assignments
Splynx -> Networking -> IPv4 networks
1) Add some network for dynamic assignment (pool) or permanent (static) usage

networks

Step 5. Activate customer and set the Internet service
When we have added router and networks to Splynx, it’s the right time to add a customer and activate him

active

Then, we need to create an Internet service for the customer with PPP details (or MAC in case of DHCP authentication), IP address and other details.

service

If all these steps were made and still Mikrotik router shows Radius timeout in log, then, we need to make a quick troubleshooting.

Troubleshooting
First of all, check the file in Splynx logs called radius/short. It can be found in section Splynx -> Administration -> Logs -> Files. If this file is empty, Radius server should be set to debug mode.

Splynx Radius server consist of 2 daemons – splynx_radd and freeradius. Both of them have different debugging and show different information. Let’s start with splynx_radd debugging :

To enable debug mode of Splynx, connect via SSH to Splynx server and change the configuration file: /var/www/splynx/config/radius.php
[debug] section enable should be changed to – “true

To restart Radius server, enter command in SSH : service splynx_radd restart

Now we can check the debug file, again it’s accessible from CLI of Linux Splynx server:
/var/www/splynx/logs/radius/debug.log
The best way to check the file is command tail -f /var/www/splynx/logs/radius/debug.log

If splynx_radd debug doesn’t show us anything, we can try to run freeradius daemon in debug mode and see if any packets are received by Radius server.

Run CLI commands :
service freeradius stop
freeradius -Xxxx

and check the CLI console output.

If you don’t see any debug messages when customer tries to connect to Mikrotik Router, it means that your router cannot send packets and connect to Radius server at all. It means that you have to verify networking, routing and NAT settings of the network.

On Mikrotik Router there is also availability to run extended debug to see what exactly router is sending to Radius server :

debug_router